We recently had an external security review performed on a public-facing website we manage. They noted that on the "recover password page", there are different response times when providing existing and non-existing usernames. They claim this could make it easier for an attacker to test for existing usernames. The suggested change to eliminate this attack vector, is to always execute the same logic for every password recovery attempt.
In our case, the password recovery logic consists of (roughly) the following steps:
- Load the user from database.
- Send an email to the user with a password reset link.
If the user exists, both steps are carried out. If the user doesn't exist, only step 1 is executed.
In terms of database lookups etc, this is easily solved. But when it comes to interacting with external systems, in this case sending an email, it's less trivial.
I supposed introducing a random delay will not help much, as there would likely still be a detectable difference in the response time distributions.
Another idea is to set up an email account somewhere, and send an email there for every non-existing username.
What would be best practice in this situation?