Usually you do it by giving the same response for an invalid password and a non-existent email. I wanted to see how that particular page was leaking but the site wouldn’t load for me.
Not quite - best practice is to continue the initial setup - ie, "we've sent you a link, please click to activate your account".
Except if the email address is already in use, you email the address and let them know that. That way they only leak that info to the owner of the email address - and they can include a password reset link too.
How about for websites that give you some functionality without a verified email address? At that point, you can't let a user dink around if the address is in use.
Granted, this doesn't apply to eg banks, but there's plenty of websites where this could apply.
Don't ask for their email address then. What's the point in having an email address that you have no idea if it's correct or not? You might as well ask them to put in a random string of characters.
Absolutely. It's really more relevant with services you can't directly sign up for, such as an internal service in the company where user enumeration helps you find a target when the error messages are different.
