The thinking is, if there’s an invalid username/email or password, you shouldn’t even acknowledge that the username/email was correct. This will confirm to a hacker that the username/email does exist, thus they have part of the credentials needed to log in. I even mentioned this as a “best practice” in my PHP book.
The article I just read though is against this concept, thinking that most hackers can already determine the username/email just by trying to sign up with that same entry. When they find that they cannot, they will have confirmation that the username/email is in use. As such, the article suggests you should be more explicit in your reasons for not being able to log in.
However I recently found another alternative for this. There was a service that I wanted to sign up for, and I not only didn’t know my password, but I didn’t know if I had an account. Upon signing up, I received the following text (on the website).
“Your request has been processed. In order to maintain the security of your account, you will receive an email containing a verification code and a link that will allow you to set a new password. You must follow the instructions in the email in order to set a new password.”
Then in the email I received, I was told that I never had an account! Yes, the original article had some other tips, but I thought this was a clever work-around for that specific point.