Menu
It seems pretty typical to limit user accounts to unique email addresses. So on my user registration form, I am doing email validation and returning a message like
An account has already been registered for [email protected]
Then it occurred to me that an attacker could use this form to determine information about my users. Is there an alternative way to provide validation messages to my users without compromising security? It doesn't seem to me there is any way around it.
800
The "already in use" message means that you are attempting to register an account, but there is already one registered using your email address.
Fraud prevention and data protection This means you can easily check when an entry was altered, who deleted a category and if any exports have been produced. You can also easily mitigate the risk of voter abuse (i.e. one unknown user voting thousands of times).
They should need to login. Also the confirmation email should not contain their password. If they managed to give you the wrong email address and you automatically log them in then someone else has access to their account now. This holds even if you have them type their email address twice.
Registration allows gamers to jump back in without losing their data. This ensures that the user account feels both justified and appreciated. Cons: While user registration is essential in some scenarios, it can create unnecessary delays in other instances of online entertainment platforms.
Rob Napier's answer is correct. You should decide whether your users actually need that anonymity at the cost of degraded UX (in most cases they wouldn't care).
Here's how some big names do it:
Error: Account with this email already exists.
This email address is not available. Choose a different address.
A user with that email already exists (Code: 1079)
Someone's already using that email.
Forgot your account’s password or having trouble logging into your Team? Enter your email address and we’ll send you a recovery link.
124
Simply tell them they cannot use the email address they have supplied ? You don't need to give any more reason than that? If they know it's not their email they might still guess it's an existing address but you haven't confirmed that.
Or
How about telling them you've sent an email to that address and they need to confirm - even if you haven't.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
