Allow/Deny Listing

• existing emails from different response time from hashing
• not existing user emails returned faster
• compromised ashley madison website on which emails were being used
• could throttle to have made this issue go away

Attack surface

• Keeping the attack surface as small as possible is a basic security measure
• Attack surface is the sum of different points where an unauthorized user can try to enter data to extract data from an environment