Security Tip: Don't Forget Your Registration Form!

I was procrastinating browsing Twitter and came across this wonderful meme:

In the first panel we have what is presumably a login form error message, giving an ambiguous message to obfuscate which input is incorrect:

“Error. Either your email or password is incorrect.”

Followed by the response from the registration form, which confirms the email address is in the database:

Register > Enter Email: ”Sorry that email is taken.”
AH, it’s the password.

Upon seeing this, my first reaction was…

This is why ambiguous messaging on password reset forms is often pointless.

Folks spend so much time worrying about the password reset form leaking account existence and ensuring it has rate limiting, but what about the humble registration form?

Not only do they usually tell you if an email address is already in the database, but they also often lack sufficient rate limiting, and don’t send out any emails, so you can usually use a registration form to check if email addresses are in the database much faster and quieter than with a password reset form.

So this week, I want you to remember your humble registration form!

1. Ensure it has rate limiting that includes any validation failures.
2. If account attacks or credential stuffing are a concern, log those validation failures so you’re aware of malicious activity.
3. If the existence of email addresses is supposed to be secret, don’t validate emails on the registration form!