undefined | Better HN

0 pointsavalys4y ago0 comments

“Sorry, this password is already being used by joseph.h.blow@gmail.com, please choose another.”

0 comments

4 comments · 1 top-level

genewitch4y ago· 3 in thread

every so often i'll find a website that has logins that will say "email address / username not found" instead of "username or password incorrect"; or, when clicking "i forgot my password" it will say it doesn't recognize the email address instead of "check your email inbox, if you have an account here, you will receive instructions via email".

I don't even

latch4y ago

You can remove username enumeration from login and password reset, but it's much harder to remove it from signup. And this is pretty much an all or nothing, there's no point giving cryptic error messages (in the case of forgot password) to users when hackers will just use the signup form anyways. Want a good example? Hacker News: "That username is taken. Please choose another." I just tried on github, generic error message on login, explicit "email in use" error on signup. Amazon? Same thing.

I'd wager that 99% of website allow username enumeration. The very few cases that don't, typically shield their signup with additional steps (captchas, mobile OTP (e.g. paypal, ...)). None of which are foolproof and all of which are a compromise not just from a security point of view but also from a usability point of view.

Until someone gives me a great way to do this with signups, I'm going to stick with the much more usable forgot password error message.

tialaramex4y ago

Hacker News has username enumeration anyway because it has per-user profile links which, like Reddit's, are cool URLs (ie the URL has the username in it, as a parameter, not some UUID minted by a machine at random).

Also, and again like (most of) Reddit, Hacker News is public anyway, it's outright weird to have a HN user, choose a distinct name for it when you didn't have to, and then be angry that HN reveals the existence of your user.

However, if sites have distinct username and email then getting one doesn't give you the other.

jaxn4y ago

How about email validation as a first step and send the "this email is in use" message via email instead of on the sign up form.

Adds friction to signup, but would work when it's really important to not leak account existence.

1 more reply

j / k navigate · click thread line to collapse