If they could benefit from the 'information leakage' of knowing a username exists, they would do.
If they don't - then maybe this 'information leakage' worry is obsolete security advice. There's loads of obsolete security advice around.
(of course there might be other, non-account-security-related reasons to make it impossible to know if an account exists. It's one thing if HN's login form reveals that user
duxup exists, it's another if find-an-affair-partner.com reveals the same thing)
>There's loads of obsolete security advice around.
Yeah that's kinda what I'm wondering about. It's possible that most of your security issues are just folks credential stuffing in the simplest way, if that's the case then the whole registration thing isn't really a realistic concern.
Hell when I was in networking and if you did your best to just block traffic to / from specific regions / nations ... you eliminated a huge % of malicious traffic. For the guy thinking deeply about security that seems odd / not specific enough, but in the real world it works...
