this post was submitted on 08 Aug 2025
28 points (88.9% liked)
Cybersecurity
8629 readers
3 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The only thing that needs to be encrypted or hashed is the password.
But telling that an email is already in use is leaking information. A bad actor can use this to figure out if you are using a particular service, or alternatively try random email addresses and check if they belong to a real user. This is why it's usually encouraged to just say "invalid combination of username/email and password", instead of specifying which is incorrect.
User registration will still need to check if the email is the user id (which I loathe).
Not necessarily. If it's implemented well, the frontend will just show a "success" message, but the email sent will be different. This way, the owner of the account will know if they already have an account, or if it wasn't them, that someone else tried to use their email. Meanwhile the bad actor won't know anything new.