Huh? He's suggesting that as a Real User that if you don't whether you have an a... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

mbesto on Dec 1, 2014 | parent | context | favorite | on: “Invalid username or password” is a useless securi...

Huh? He's suggesting that as a Real User that if you don't whether you have an account at all is to just sign up again. People use multiple emails for different accounts all of the time. How is that not a frustrating experience for the Real User?

waxjar on Dec 1, 2014 [–]

That's not what is meant.

An attacker who wants to find out of if the person with "example@example.com" has on account on your website, could try signing up with "example@example.com". If they get an error message, they know the person has an account on the website.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact