Prevent user name/email leakage via the sign in form #5
The signup process is just very flawed on both the security and UX fronts.
From the UX POV, it is just ridiculous to expect from a user to select unique user name without giving him any indication what might be available. Knowing that "admin" is taken do not help much.
The correct flow should be to let the user register with his email only, than after the email is confirmed, generate an automatic one for him suggest to him to change it.
It is still possible to enumerate user names in that kind of flow, but it is much easier to limit the number of such attempts, and it makes the process somewhat harder to automate.
…email address for which there is already an associated user, send a password reset email, and display the same message as if the user registration was successful #5
…er send a password reset to the email #5