Is it fine if a website says "email already in use" before you hit submit? (lemmy.world)

submitted 3 weeks ago by Jankatarch@lemmy.world to c/cybersecurity@sh.itjust.works

42 comments fedilink hide all child comments

I remember hearing before that it's a sign they are storing your info unencrypted but I never checked.

Is this true? I was logging into a .gov website and noticed it does that.

you are viewing a single comment's thread
view the rest of the comments

[-] CameronDev@programming.dev 13 points 3 weeks ago

The only issue with it is that it allows attackers to determine that a given person has an account on a site. Which if the site is pornhub or similar, could be embarrassing (try sign up to pornhub with your local politicians email).

The way around this is to do something like:

"We need to verify your email is correct, by sending you a code"

This doesnt tell the attacker anything, but if there already is an account, the email itself can just say "You already have an account, here are the links to reset and login".

Side note: encryption is reversible, hashing is not. Passwords should be stored hashed, but email only need to be encrypted (or plaintext, but less ideal). And because its reversible, they can get the original value back. They cannot reverse a hash to get the password back, so if a site ever tells you info about your password, that is a sign they might not be hashing it correctly.

[-] hitmyspot@aussie.zone 6 points 3 weeks ago

Given many people use the same password.on many sites, it can allow the bad actor to "guess" their password based on data from other leaks.

Then whatever is inside that account may be accessible, such as financial info. Even protected data like cc info might show the last 4 digits, which can be used when talking to an agent to verify identity etc.

[-] sugar_in_your_tea@sh.itjust.works 2 points 3 weeks ago* (last edited 3 weeks ago)

This is the way.

If you're going to encrypt the email, you need to be careful about how you use and store the key. Doing any operation with the email will be a lot more expensive, and you'll lose the benefits if an attacker that can access the db also has access to the key.

I personally don't think it's worth it and would prefer to spend more time hardening the app, especially if the email is displayed on the site (i.e. it gets decrypted frequently).

It probably makes sense when there's sensitive data (bank, medical care, etc), but for most things it's overkill.

this post was submitted on 08 Aug 2025

28 points (88.9% liked)

Cybersecurity

8203 readers

438 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social