For Gmail, you can determine whether an account exists simply by sending an email to an @gmail.com
address. If it bounces, that account does not exist.
This is true of many email providers. Here, usernames are not considered secret. If a user has the email address foo@example.com
everybody knows that foo
has an account at example.com
with username foo@example.com
.
However, for most other systems it is a breach of privacy to reveal usernames. If someone can discover that bob@example.com
has an account at nostringsattacheddating.example.org
and Bob's wife Alice can try registering with the username bob@example.com
on the website and it tells them the username is already in use then it is a massive breach of privacy.
Remember that email address has its roots at the email provider. There is no privacy lost if eve@example.com
is known to have an account at example.com
, as there is no point of reference for who eve@example.com
is. The same isn't true for another system using email as the username - a user with username mallory@example.com
on a non-email website will be the same mallory@example.com
as registered at other websites. There is privacy to protect about which accounts Mallory has.
Also, revealing usernames can be useful to an attacker. This is known as a username enumeration vulnerability. If an attacker knows which usernames exist, then they can run a password guessing attack.
As an attacker if I can use your login or forgotten password page to
narrow my list from 10000 targets to 1000 targets, I will.
It also allows attackers to target users of the system via phishing.
It is easily possible to design a system where user enumeration cannot be executed. For example, the sign-up and forgotten password processes are one and the same.
The steps are:
- The system asks for their username (email) on a single page, with no other input fields.
- When the form is submitted the system asks the user to check their email account.
- If the account exists, the email contains a password reset link.
- If the account does not exist, the email contains a sign-up link.
As a bonus, you've validated their email address at sign-up in case they need to reset their password at a later date. Any typos will mean the user can't sign up at all - which is good because a user isn't accidentally using an account registered to a different email address.
Both the password and sign-up links contain a cryptographically secure random ID, so they cannot be followed without receiving the email. Only someone with access to the account can find out whether a username is registered or not (Bob better keep his email and laptop passwords secret from Alice - it would be wise for him to turn off any notification sounds in case Alice tries this process when they're in the same room too).
See some of my other answers for related topics: