There are two situations where I'm not sure what the best action is.

1. A visitor tries to create an account using an email address that
already exists.

Do we tell the visitor what the situation is? On the one hand, it
provides potentially useful feedback. On the other hand, it leaks
information about the email in question.

A second option is to go ahead and send a notification to the email
address, and just give the standard feedback ("go check your email
..."). The notification email would just be different. "Yo, someone
tried to create an account, but it already exists. Something-

I favor the latter option, although I'm not sure what the email
notification should say. Should there be a link to directly reset the
password, in case that's the next thing the user wants? Or should it
just say, "Heads up, somebody tried to create an account with this
address. Nothing has happened though, you're cool."


2. A visitor tries to reset the password for an email address that
doesn't exist.

This is the obverse of the first situation. Basically the same options
apply. I would be inclined, again, to simply send an email, while
providing no tell-tale information to the visitor.

What say you?

I've created an issue to track this question:

Attachment: signature.asc
Description: Digital signature

Discuss mailing list

Reply via email to