Back in the day, it was customary to not tell the user whether their username or password was incorrect. This would help maintain the security when the attacker didn't know their victim's username. Today, we are using emails to identify users. Emails are not generally public but normally they aren't closed guarded secrets so, we shouldn't count on an attacker not knowing the email address of the victim. Hence, a system should be secure enough with the email (that is, username) being public knowledge. Dashman strives to be secure that way.


Furthermore, back in the day when we could keep usernames private, it was with systems that had off-band registrations. That is, you couldn't register through the same channel as you could log in. Today, in most web applications and in Dashman, you register the same way you log in and hence you can try to register with an email address that's already register and there's no way, when reporting the error, to hide this fact to the user and a potential attacker. That means that we have to assume the attacker will manage to find email addresses of the victims.


With all of these assumptions, there's no reason to keep it secret whether a user made a mistake in the email address or password, it doesn't increase security and explaining the error can help people spot it faster and increase usability. Because of this, Dashman does leak which account exist, but it's not a big security issue, it's impossible to avoid and we do it for the sake of usability.