Nonexistent account disclosure

[stuartpb]

Is trying to log in with a nonexistent account distinguished from trying to log in with the wrong password? Does the password recovery form tell you whether or not a user with that account exists?

These are things that can potentially be considered leaks (and if one does it, the other should too): if they're not considered a major leak, they should both be differentiated for usability.

Only distinguishing one is a red flag.

[stuartpb]

AngelList's password recovery:

If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes.

[stuartpb]

MailChimp blog post about differentiating for usability due to the aforementioned hole: http://blog.mailchimp.com/social-login-buttons-arent-worth-it/

[stuartpb]

Bountysource discloses account existence before you even submit the form.

[stuartpb]

Maybe login.noaccount, with values of caught, error, and undisclosed (where caught describes real-time validation)? And a similar password.reset.noaccount with the same fields?

[stuartpb]

And, of course, it's possible to flub this without realizing: http://fusion.net/story/169808/ashley-madison-was-never-completely-discreet/ - perhaps there should be an "inadvertently-disclosed" value (misdisclosed?).

[stuartpb]

https://porkbun.com/account/forgot reveals an account's presence.

[stuartpb]

The real spec work for accommodating this needs to be taking forthcompat with #125 into account, which is why the schema work is currently happening over there.