Avoiding User Enumeration

If an attacker can probe your site to test whether a username exists, it gives them a leg up in trying to hack your users’ accounts.

Risks

Prevalence Common
Exploitability Easy
Impact Worrying

Allowing enumeration of usernames is not a vulnerability in itself, but in tandem with other types of vulnerabilities – like the ability to brute-force login – it will compromise the security of your users.

Want to see this vulnerability in action? Take our exercise. See some common ways users are enumerated.

Protection

As shown in our exercise, avoiding user enumeration is a matter of making sure no pages or APIs can be used to differentiate between a valid and invalid username, unless the matching password is supplied. To recap:

Login
  • Make sure to return a generic “No such username or password” message when a login failure occurs.
  • Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.
Password Reset
  • Make sure your “forgotten password” page does not reveal usernames.
  • If your password reset process involves sending an email, have the user enter their email address. Then send an email with a password reset link if the account exists.
Registration
  • Avoid having your site tell people that a supplied username is already taken.
  • If your usernames are email addresses, send a password reset email if a user tries to sign-up with an existing address.
  • If usernames are not email addresses, protect your sign-up page with a CAPTCHA.
Profile Pages
  • If your users have profile pages, make sure they are only visible to other users who are already logged in.
  • If you hide a profile page, ensure a hidden profile is indistinguishable from a non-existent profile.
Got all that?
Test Yourself →
Take our quiz to make sure everything is clear