Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So just keep trying addresses until you get a reset link sent to you. It's really unacceptable for any service to leak its user list in the way you suggest.

EDIT: x1j7xJuzX in the sibling subthread has it right for email addresses. It's true that separate usernames would be difficult to handle in a user-friendly manner without leaking, but with a valid email address a separate username is probably unnecessary. It doesn't help the user interact with the site. If users interact with each other, they can just choose non-unique display names. To prevent impersonation, just use display name plus some other invariant account property to generate a hash that is displayed alongside the display name.




Doesn't almost every service leak users at sign up? There are ways around it but I don't think they've very common.


How do you avoid 'leaking the user list' if you enforce unique usernames?


If you use email as username, you can make the sign up give the same "check your email to confirm your account" message for a new account and an existing account. This works well for new users and those who have already signed up but perhaps forgot, and leaks no information to someone who doesn't have access to that email account.

I'm not sure how to do this just for usernames, but usernames are less sensitive than emails anyway.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: