Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is mentioned in the submission. The argument is as follows: If you're vague on the login page but still do the validation on the signup page, the information leakage happens regardless, just on the signup page rather than login, as most websites only allow one account per email.


“If you’re trying to prevent this information leakage, you also need to consider the following things” would be a much better conclusion to arrive at. Services that considered that problem just let you sign up twice and send you an email saying “you already seem to have an account.” As a positive side effect, this also notifies the account owner.


I just finish the registration process as normal but email the email that someone is trying to sign up again and if it is them.

The user who signs up won’t notice anything.


That's a good argument for not letting the signup page leak information.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: