Should a user registration form indicate if an email address is already in use?

For most kinds of sites, I would expect that explicitly hiding this information would be a poor user experience trade-off. The better solution is to use CAPTCHA to help prevent war-dialing of email addresses.

The exception would be in cases where an attacker is seeking out information about a specific user (rather than just trying to find "some account"). As an example, if your site caters to people who have a strong interest in anonymity, and there are attackers who have a strong interest in finding out if a specific user is using the site, then the approach should be different. My approach would likely be to send an email to the address indicating the "already registered" error. The user experience annoyance would be outweighed by the user's anonymity interest.


Rob Napier's answer is correct. You should decide whether your users actually need that anonymity at the cost of degraded UX (in most cases they wouldn't care).

Here's how some big names do it:

  • AWS: Error: Account with this email already exists.
  • Apple ID: This email address is not available. Choose a different address.
  • Cloudflare: A user with that email already exists (Code: 1079)
  • Linkedin: Someone's already using that email.
  • Stack Overflow: Forgot your account’s password or having trouble logging into your Team? Enter your email address and we’ll send you a recovery link.

Simply tell them they cannot use the email address they have supplied ? You don't need to give any more reason than that? If they know it's not their email they might still guess it's an existing address but you haven't confirmed that.

Or

How about telling them you've sent an email to that address and they need to confirm - even if you haven't.


I can think of one way: you could ask for an email address and then send the link for a one-time registration form to that email address. You might need a captcha in there to stop spam. If the email is already in the system it could send a message saying that they already have an account.

I think this is unnecessary tho, unless your website is especially secret, like a support group for abuse victims.