Custom sign up error message for user that already exists

Hi Morné,

The behavior of displaying the same message regardless of whether there is already a user associated with an email address or username is by design.

To return a message indicating that the email address or user already exists would expose the application to user enumeration. User enumeration allows potentially malicious third-parties to learn the usernames and/or email addresses of legitimate users, which the third party can then use to attempt to gain access to user accounts through guessing passwords, brute force attacks, or matching usernames to a list of passwords leaked from other services.

Please see here for some additional information on OWASP recommendations regarding user enumeration.

3 Likes