If an attacker can probe your site to test whether a username exists, it gives them a leg up in trying to hack your users’ accounts.
Allowing enumeration of usernames is not a vulnerability in itself, but in tandem with other types of vulnerabilities – like the ability to brute-force login – it will compromise the security of your users.
As shown in our exercise, avoiding user enumeration is a matter of making sure no pages or APIs can be used to differentiate between a valid and invalid username, unless the matching password is supplied. To recap:
- Make sure to return a generic “No such username or password” message when a login failure occurs.
- Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.
- Make sure your “forgotten password” page does not reveal usernames.
- If your password reset process involves sending an email, have the user enter their email address. Then send an email with a password reset link if the account exists.
- Avoid having your site tell people that a supplied username is already taken.
- If your usernames are email addresses, send a password reset email if a user tries to sign-up with an existing address.
- If usernames are not email addresses, protect your sign-up page with a CAPTCHA.
- If your users have profile pages, make sure they are only visible to other users who are already logged in.
- If you hide a profile page, ensure a hidden profile is indistinguishable from a non-existent profile.