> Unfortunately this assumes that there's no other way for an attacker to discover whether a username/email address is registered for a service. This assumption is incorrect.
Security is never perfect, it is always about making it annoying enough that people don't bother. So yes, there are other ways to see if someone has an account. But odds are the person attacking your site is not singling out one account to hack, they are trying bulk attacks with many accounts. So you avoid leaking info to not give the script any more ammo on what else to try. And hopefully the attacker will move on to some site that did give it more ammo.
Maybe instead of saying the email address is already in use on the site, just let the "sign up" happen and tell them to check the email for a confirmation link, and in the confirmation email say "someone is attempting to sign up with this email that is already signed up, if this was you, use the Forgot Password link to reset the password for the existing account. If it was not, click here to report this incident."
> it is always about making it annoying enough that people don't bother.
> But odds are the person attacking your site is not singling out one account to hack, they are trying bulk attacks with many accounts.
I feel like these two statements are at odds with each other. A regular user is going to get annoyed. An attacker using a script and multiple attempts is simply going to include the other way of verifying if an address is real in the script.
Security is never perfect, it is always about making it annoying enough that people don't bother. So yes, there are other ways to see if someone has an account. But odds are the person attacking your site is not singling out one account to hack, they are trying bulk attacks with many accounts. So you avoid leaking info to not give the script any more ammo on what else to try. And hopefully the attacker will move on to some site that did give it more ammo.