We were unable to load Disqus. If you are a moderator please see our troubleshooting guide.

Mohit • 2 years ago

This is a scenario which you explained where user is trying to login using user name. Here we can show a generic message in order to not to tell user if an user name already exists into the system.

But when user is creating an account/username for the first time , at that time we have to check the user name availability , and if it has been already consumed , we have to display the error to the user that user name is not available. Now if the user is potential attacker, he knows a user name into the system . How u suggest to tackle / avoid this kind of scenario?

Patrick Laverty • 2 years ago

Great question, Mohit. That is certainly a good use-case. One thing you can do is to require something other than a user-chosen string as a username, something like an email address, which should be unique. Another thing you could do, and I admit this is not user-friendly at all, to let them sign up with that user name, but send the user an email letting them know that the username is already used. It still indicates a valid username, but adds a lot of overhead to the process of enumeration.
Another thing you can do is to add pain to the second part of it. Attackers want the list of valid usernames, so they can then try to guess or brute force the password. You can put protections in place with that as well, whether they are lockouts or multi-factor authentication, so even if they have a valid username, it's much harder to gain access.
Great question.

Roberto Santana Perdomo • 1 year ago

Could you please explain why it is a vulnerability for an attacker to know the user names on a system? Currently External Identity Providers are wildly popular, meaning that user names are personal emails.

My amazon account is my email address, my Azure account is my email address and both sites manage highly valuable information that could take a whole company out of business... and yet, they show no concern on hiding user names...
Furthermore, even some banks, make use of government issued identification credentials as the user name and such are also easy to guess or access.

Will • 1 year ago

Amazon, Azure and Banks are using WAFs and 2FA and other methods to prevent Brute Force password guessing.

This means that after a few wrong passwords/2FA entries, the IP address will be blocked.(Jailed). If a system does not use WAF or 2FA, then Brute Force password guessing is a vulnerability.

Another problem which is not discussed in this is if the email address is also a user account on the system and ssh is enabled. Then the user enumeration exploit can be used on the host operating system

Peter Reszczynski • 3 years ago

very well informative. thank you.

Pramesh Bajracharya • 4 years ago

Thanks, It's informative!

A. Paul Arockiaraj • 4 years ago

Useful information. Thanks Patrick.