Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> "But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists"

The solution would be to close that hole, rather than opening the same hole somewhere else. For example, for the username reminder form, if the username can't be found for a given email address, then that can be conveyed to the user by sending them an email message.



Well, how do you work around the issue of the New User Registration form telling you that the username already exists?

I think it's better to assume usernames are publicly available information and atleast get your UX right for the Login Form.


Good point. There isn't much you can do about usernames, but if the site just uses email addresses as a login then you can protect that.


Looking at the MailChimp site, I don't understand how that would make much of a difference. Right now, you can enter emails into the "Forgot Username" field and eventually hit a good one, but then you need to crack the email account to get the username so that you can then stick that in the "Forgot Password" form. Eliminating usernames, you click the "Forgot Password" link and enter emails into the field until you hit a good one, giving you both the email and "username" right away.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: