I was having a chat about this with a UX guy. His argument for using a similar flow was that the username/email will have to be validated at the point of registration anyway so you might as well make it easier for the user when the email is wrong. I couldn’t really refute this logic.
If you throttle both login and registration, then surely the risk is minimised while keeping the user happy?
Being able to determine if a username is valid without a valid password is a security flaw
Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration
I was having a chat about this with a UX guy. His argument for using a similar flow was that the username/email will have to be validated at the point of registration anyway so you might as well make it easier for the user when the email is wrong. I couldn’t really refute this logic.
If you throttle both login and registration, then surely the risk is minimised while keeping the user happy?
I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
I’d assume the spam protection for signing up is a lot tighter than the one for logging in