On Feb 23, 2015 12:06 PM, "Lars Aronsson" <lars(a)aronsson.se> wrote:
It would be possible to just say "sorry, login by
e-mail
is not possible for you; please login by username".
No, that isn't possible. We can't reveal existence or non-existence of an
account with an address. If there's more than one with a given address and
we throw that error message then we've revealed something we can't.
Multiple accounts match response should be identical to wrong password
response and identical to no such email/username response.
-Jeremy