I'm not saying you're completely wrong here, but from a security standpoint, as a site owner, you really don't want to give any information that can be used against you, and your own users. To put it bluntly, this approach is kinda "you're not a user deserving a 'user-experience' until you actually proved that you are a real user".
I think it really depends on the type of site and its concerns about security. I'll give you two extreme examples:
* A hobbyist site for knitting, targeted at elderly people. Perhaps it should care more about the user experience, helping people to login even if they made a typo, than to protect from hackers finding out which email accounts exist on the site.
* Some bizarre highly-personal fetish site. Knowing whether or not an email address is registered on this site is in itself something worth protecting. Not to mention increasing the chances of then being able to hack into one of those accounts.
Basically what I'm saying is that security is almost always a trade-off, and it depends on the site and its user expectations.
You might increase usability slightly, but in exchange you are allowing attackers to cut the work they need to do to compromise your users accounts in half. If you use email addresses for login, you are also allowing spammers to verify valid email addresses against your system for spam or phishing attacks later on.
I'm aware of the fact that this makes attackers' jobs easier. However, many websites (including Codecademy) tells you whether the email address you provided is registered or not, when you visit the Forgot Password page. If you are displaying a message such as: "If the email address you provided is registered, you will receive an email shortly." then I can actually believe that your main concern is security and that's what prevented you from displaying a clearer error message.
Just added this at the end of the post for clarification.
the only reason I don't do this is because a hacker could potentially guess an email or username until its correct, then brute force his way in with a password (because a lot of users don't make secure passwords that are long, multi characters, etc). Maybe it makes it a little bit more difficult but for me its worth it. Also, even google does this and I think most end users are accustomed to seeing this message.
This is not an excuse for most of the sites (including Codecademy) because when you follow the "Forgot password" link and type in an email address, they instantly tell you whether that email address exists or not.
If you are displaying a message such as: "If the email address you provided is registered, you will receive an email shortly." then fine :)
Very good point. This should be mentioned on the blog post too, and maybe brought to the attention of the site owners. It definitely makes a stronger case for either:
* avoiding giving away this piece of information on the forgot password screen
or
* telling the user whether it's their password or username that is wrong.
I think it really depends on the type of site and its concerns about security. I'll give you two extreme examples:
* A hobbyist site for knitting, targeted at elderly people. Perhaps it should care more about the user experience, helping people to login even if they made a typo, than to protect from hackers finding out which email accounts exist on the site.
* Some bizarre highly-personal fetish site. Knowing whether or not an email address is registered on this site is in itself something worth protecting. Not to mention increasing the chances of then being able to hack into one of those accounts.
Basically what I'm saying is that security is almost always a trade-off, and it depends on the site and its user expectations.