JA WestenbergIf you prioritise "sign up" over "login" on your landing page to the point that existing users have to search for the button, you are holding your existing users in contempt. And you're an arsehole to boot.
Stuart McHattie 👨🏼💻@Daojoan don’t even separate the two. Ask for someone’s email address. If it exists, then ask for the password, otherwise take them through the registration process.
Bringer of Pants@sdjmchattie @Daojoan No. If a site does that, then it reveals that the email address in question does in fact have an account there, which is an information leak. It shouldn't do that. This is why logins typically only say "Login incorrect" rather than "you don't have an account here", even if you do not in fact have an account where you're trying to log in.
@Enfors @Daojoan yes I know that’s a risk. Tell Microsoft because that’s how their authentication works. Anyway, how much more of a risk is it to know an email has an account on the site? Usually accounts are targeted because the malicious actor already knows the account email they want to get in to. And you can identify if an account exists by trying to sign up for a new one and being told it already exists. I don’t believe there’s a leak of information happening here.
@sdjmchattie @Daojoan Well, you make a good point about trying to register also revealing the existance of the account, probably on most sites.