(no title)
pevey
|
2 years ago
I used to think info about whether an account exists should not be leaked in the password reset flow, and I designed sites this way, but then someone pointed out that in practice a hacker would then just move to the account sign up flow to check for the existence of an account. (If account exists, you cannot make another with that email on most sites.) I never had a good response for that. I now lean toward the idea that not providing info is just not worth the bad UX.
f33d5173|2 years ago
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".