Distinct error messages for wrong email / password

Question

I want to continue discussion started in this question "Username and/or Password Invalid" - Why do websites show this kind of message instead of informing the user which one was wrong? but due to my reputation I need to create a new question.

So I wonder why Google and Facebook definitely say what was wrong: email or password while some people think this can be security issue?

Some thoughts about "this is dangerous because hacker will now that the email is valid":

I think almost every site have password recovery form with only email field in it so it is pretty easy for hacker to know whether some email exists or not. He will just enter the email in recovery form and wait for answer "Recovery email was sent" or "This email doesn't exists".

Yes, the genuine user will know about this non genuine recovery attempt and will probably protect his account rapidly. But in case of password brute forcing we also can notify a user about suspicious login attempts (Facebook used to send such emails after some number of unsuccessful login attempts).

Answer 1

Essentially, this comes down to a balance between usability and security.

In the case of Google and Facebook, there is an assumption that pretty much "everyone" has an account, therefore the risk of giving away what email address has been used is minimal - it makes more sense from a customer support purpose to minimise calls from people who have mistyped their email address. They also both use fairly advanced methods of detecting fraudulent logins, with the ability to show a list of all known sessions, and detection for multiple logins from geographically distinct locations (e.g. if you log in from the UK and the US within an hour, something suspicious is going on).

For most smaller sites though, there isn't that assumption. Most people don't have an account with any given website, therefore the information that they do becomes valuable. In that case, you can reasonably hide whether someone is a member or not by giving a generic rejection method. You can also give a standard message reading something like "We have sent a password reset link to the address provided - if you don't receive it within a few minutes, check your spam folder, or double check the entered address" - you don't need to expose your user list through forgotten password screens.

If the smaller sites could either make the assumption that "everyone" has an account, or run a full suite of fraud detection methods, like Facebook or Google, it wouldn't be an issue, but the cost of running that type of protection tends to be prohibitive until you reach huge scale. Generic error messages, on the other hand, are cheap, and effective.