Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: To pre-validate email or not to pre-validate email?
14 points by amykhar on Jan 1, 2023 | hide | past | favorite | 14 comments
When creating a user registration form, it's possible to check to see if the email or username is already registered even before the user submits the form.

My question is, do you think this is a privacy risk? Is it violating a user's privacy if somebody can check to see if they are using a site or service or not just be entering their email address into a registration form?

If it is a privacy issue, do you think it matters for non-sensitive sites? For example, it's pretty obvious that an adult website or a job search site really needs to protect the identity of their registered users. But, what if it's something like Goodreads or Amazon, where knowing somebody is a member isn't really a sensitive thing?

Does the convenience of a user knowing if they've already registered on the site before figuring out a password and doing a captcha ever outweigh the potential privacy concerns?




You can go with the following flow:

- User enters email in registration form and submits.

- You return a thank you message saying that you sent instructions to the email address.

If the email address doesn't exist in your database, the link is for user creation and choosing a password.

If the email address was in the database, your email says that someone tried to register with the same email address, ask the person if it was them, and ask them if they forgot they had an account with the service. You may provide a link to the sign-in page, or to reset the password.

External visitor has no information on whether the email has an account or not, and the owner of the email has all the information.


This is probably a good idea. It preserves privacy and also makes an explanation in case someone registered twice by mistake, so it can solve two problems at once.


Thank you. I really love this idea.


When creating a user registration form, it's possible to check to see if the email or username is already registered even before the user submits the form.

People can mitigate this by using email canaries. Email canaries are email aliases that allow for an address to be tied to a specific entity and thusly thrown-away should that entity break their trust. Not all email providers support creating aliases but people should absolutely research which ones do.

My question is, do you think this is a privacy risk?

Yes. This is why creating obscure canaries are a good idea. Obscure meaning not putting the entity/company name in the address but having a way to map it to said entity. In Fastmail there is a comment field for each alias. In postfix this could be done in configuration comments.

Canaries are also important to mitigate some of the cross-site tracking and mapping of people. Emails are used exactly like cookies in this sense. Businesses track and sell who is using what sites so they can better map who can be sold what products. When people use more obvious canaries such as putting the name of the business in the alias it causes these companies to get upset because they have to exclude it from tracking. Some are even starting to label it as fraud despite not being so. This is why canaries/aliases should be obscure and only the creator should know who they map to.


Have you considered not requiring email at all? Those are my favorite sites. Your site provides some good or service, I just want that from you. But if I do, chances are I and younger people in general don't prefer email since there are a myriad of other options.

Whether or not I am a member of amazon is a very serious privacy issue for me depending on who sees that information and correlates it with other info.

For security, this terrible lazy way of relying on email causes a lot of problems for users. Access to your site should not depend on a central point of failure: users' email. Believe me when I say getting your email pwned is made even more horrible by the fact that random accounts are now also compromised. Doesn't matter if you use a password manager. If you use 2fa, you have to have some means of reseting accounts other than email, else you're just federating to email.

If you just want to federate thr real authentication to their email provider them use Oauth2 with Google, Github, Facebook and Microsoft. Let them do auth but don't require email.

At this rate email will outlive ipv4! Lol


Not everyone will have Google, Github, Facebook, and Microsoft. However, if email option is also provided as an option in case you do not have the other stuff (but you do have email), then it will work.

(However, some things can work without requiring registration at all.)


You still don't need email. We are using HN without email. Millions use reddit without one too.


I'm trying to stay away from having people sign in using Google, Facebook, etc. because even though their convenient, it feels a bit like selling my soul to the devil these days.


Well it isn't your experience but user experience that mayters right? Leave the choice to the users I say, including having a no-email simple account like your hn account I'm sure.


If the data is public anyway (eg usernames on forums) then you acn check it before submitting - it's availanle to anyone anyway.

If the data isn't public and sensitive...

You know, if the email address is the right one, then the registration form would be sent (and delivered, most of the time) to it, but if it's not - then not. So for the emails there is no reason to disclose the existence of the account with such email at all.

But you should occasionly check you mail bounces and attempts to register with an existing addresses.


HN is a good example of a different tradeoff. It uses usernames and usernames can be anonymous. Email is optional on the user profile. Not providing it means:

1. the feature of password recovery/reset is unavailable.

2. other users won't be able to directly contact you via email (and therefore this prioritizes privacy over other features/functionality).

As others have suggested, you can use the email for sending a context specific magic link for signin/registration completion.


Please read the OWASP guidelines for this, on the Authentication part. It documents the right checks and response messages to show to the user.


Link: https://cheatsheetseries.owasp.org/cheatsheets/Authenticatio...


Assuming the same user on site a and b are the same based on username is not a good idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: