Different password reset for wrong username/email

Oh I think you got that point across quite well, but the whole discussion here got super intense super quickly, and we’re suddenly spending more time on bickering than on thinking about if and how something useful could come from all this. And that’s a shame. :smile:


It got intense cause a brand new user told us we are “narrow minded” and “discriminatory”

Then the same new user said that site settings do not matter cause “no one will ever user it”

It just struck a huge nerve with me and made me super upset.

I felt like a condensending disappointed adult decended upon us to teach us the errors of our way. We agonized quite a lot about these defaults you know.


Not quite, we deleted unverified accounts after 7 days.

I don’t think anything useful can come of a “no email shall ever be disclosed, even upon account signup” discussion @elberet. I mean, can you really point to any other site on the Internet that works this way??

Off the top of my head? Nope. But I’ve read some news the other day about an open source project that’s intended to drive whistleblower sites… I didn’t check it out (or read past the article’s blurb), but not disclosing the users’ email addresses might be a pretty big deal there.

I am fine with adding a mode like this, but someone else is going to have to work on it, it would actually be nice to get rid of forgot password strict and replace with an encompassing term that defines a “email never disclosed but registrations can be a bit of a pain in the ass” mode.

1 Like

Me neither, until now. I just signed up (again, by accident) at Hipchat, and instead of the confirmation email they promised, I got this:

Hi *****,

It looks like you’ve tried to create an Atlassian account for ***** @ *****.
However, an account for that email address already exists.

You can reset your password if you’ve forgotten it.
If you didn’t try to create an account for ***** @ *****, don’t worry - we haven’t done anything, and you can safely ignore this message.
Feel free to contact us if you’ve got any questions.

The Atlassians

This would be a pretty neat feature for Discourse if you ask me!


Er… what? That feature already exists

We could make this a bit easier by jumping them over to “reset password” at that point, I guess, but feels like a bit of a micro-optimization cc @neil

No…?. this is the opposite… it’s about never saying “email has been taken” and instead making it impossible to misuse the sign up process to see if there is an account using a specific e-mail address. Atlassian only discloses that in the “confirmation” email that is sent, not in the web interface.

I see, so the disclosure is only via email, not in the UI. Well, there is an existing site setting to disable the UI disclosure, of course, and that’s off by default … but there is no direct email response handling.

It seems to me the direct email only makes sense in the context of zero UI disclosure, though. Which is not our default.

Which site setting is that? I thought there only is one for the forgot password dialog, but that the sign up process would always disclose if an email address is being used already.

You’re right @michaeld that we don’t have a setting to hide “Email has already been taken”. I like what Hipchat does.

1 Like

Hmm, no, we do have this setting forgot password strict and have had it for a long while

I guess we could enhance it to also work that way on account creation, but I don’t want to add another setting…


How about using the existing one for both the forgot password and signup processes, and eventually renaming it to “do not disclose email addresses in use” ?


@neil this one should be unified so we get coverage in both places.


To be clear, what are we going to do when someone signs up with an email that has already been taken?

  • Like Hipchat: respond as if the signup was successful and send an email to the email address suggesting they change their password.
  • Respond as if the signup was successful and do nothing.
  • Show another error. “Signup is not allowed from this account” (which is also a clue that the email is recognized for some reason)

We currently indicate the email is already taken.

Primary email has already been taken

For when the “xxxtra email security” site setting is enabled, I like the hipchat approach otherwise, and I think it’s smart. Via email to the specified email address:

Title: Account already exists at {site}

You just tried to create an account at {site}. However, an account already exists for name@example.com.

  • If you forgot your password, reset it now.

  • If you didn’t try to create an account for name@example.com, don’t worry – you can safely ignore this message.

If you have any questions, contact our friendly staff.


This is partially done, except the “account created” page doesn’t show these two buttons:

The absence of these buttons is a clue, so they should probably be faked too.

The setting is renamed to hide email address taken.

And while I’m at it, this form is also not covered by this setting:


Any ideas on those two places @michaeld?

I added support to the change email form in user preferences. It will respond as if it was successful, and send the email to the owner of the other account.

You just tried to create an account at Localhost Discourse, or tried to change the email of an account to doggy@woof.com. However, an account already exists for doggy@woof.com.


Closed in favour of Email enumeration vulnerability on "Password Reset" dialogue