And then what happens when the user tries to login with the password they just "created". They will get the same error message as before, but be extremely confused since they just "registered" with that password. Not to mention their browser may have prompted and stored the fake registration password, etc.
What do you mean login? I'm talking about the signup flow. The signin flow would be consistent with what is discussed in the article "invalid username or pw".
What do users usually do after registering an account? They try to login with it (assuming they aren't automatically logged in after registration which is what I would generally prefer / expect as a user).
You are giving the user so many chances to just say "forget this" and move on to a different website. Especially if they are on mobile, registering for services is a huge pain in the butt.
My basic point is you are severely impairing the UX to prevent what I think is an extremely minor and generally irrelevant piece of information leakage.
1. Sign up for an account
2. Enter the email
3. Receive a confirmation email
4. Create password
5. Sign in
This is what op means. You just ingest step 2 without confirming the email is used or not. The actual account creation should occur only after email confirmation.
Gotcha. That does make more sense and basically signup and reset password are essentially the same process. If the user doesn't have an account previously at that point you collect the information needed to proceed. I personally would not want to break up my onboarding experience like this but I can see other people making the trade off.
If the GP is assuming that initial password setting is done via the verification link sent in the verification email, then the workflow they're proposing won't cause the confusion you describe. In other words, the "verify my email address" link is to a form that says "Create and verify password to confirm your email address."
If you're assuming that initial password entry is done before email verification, then there's a possibility for confusion there.
Honestly, the lowest friction workflows collect information lazily. Don't require setting a password (if at all... expiring login links in emails are a nice alternative) until the email is verified. Don't require a mailing address or credit card number at all, but have a "save for later" checkbox/button as part of the checkout workflow, etc.
2. Enter username, password, checkbox for terms of service.
3. Get prompted to enter the 6 digit confirmation code that was emailed to you (if you were already registered, it says you have an account and links to the login and password reset pages if required).
4. Registration is complete and the user is automatically signed in.
The username or email address isn't blocked until someone completes a registration with it.
