1. This best practise is based on the principle that a system should not leak any potentially sensitive information.

    Sign in forms that follow this best practice are sensible. The issue here is with the a registration process that does leak information. This is a good example of engineers following best practice without understanding the underlying principle that leads to it.

    This is not just about hacking either. Leaking the existence of a registered email address is leaking personal information about the individual who owns that email address. The article you link to gives GitHub as an example, which I doubt many people would care about others knowing. But what if it was Tinder? Or Gamblers Anonymous?

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.