IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [user-enumeration]

A technique used on systems that leak information on whether a given user exists or not, to get a list of registered users.

40 questions
86
votes
10 answers

New Gmail login system—going against conventional wisdom?

I noticed that the new gmail login asks for username first, and then confirms if such username exists, before asking for password input. Does this not go against conventional security wisdom to not divulge information about whether an username…
ataftoti
  • 945
  • 1
  • 7
  • 5
80
votes
10 answers

Generic error message for wrong password or username - is this really helpful?

It is really common (and I would say it is some kind of security basic) to not show on the login page if the username or the password was wrong when a user tries to log in. One should show a generic message instead, like "Password or username are…
Mirco
  • 903
  • 1
  • 8
  • 8
79
votes
3 answers

Does correcting misspelled usernames create a security risk?

Does correcting a misspelled username and prompting the user with a valid username introduce a security risk? I recently tried logging into facebook and misspelled my email. They prompted me with the message below. Log in as…
GER
  • 865
  • 1
  • 7
  • 9
77
votes
7 answers

Is it unsafe to show message that username/account does not exist at login?

According to the OWASP Auth Guidelines, "An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account." However, I have…
styfle
  • 888
  • 1
  • 6
  • 9
62
votes
4 answers

Disclose to user if account exists?

Someone told me it shouldn't be possible for someone to detect if a certain email address is used by a registered user on a website. So, for instance, when the user asks to reset his password, you should say "Password sent" whether the email exists…
forthrin
  • 1,741
  • 1
  • 13
  • 21
32
votes
6 answers

Password reset giving clues of possible valid email addresses

We have a system where if you forgot your password and want to reset it, to go to the forgot password page and enter your email address. A temporary link will be sent to your email to reset your password. Now, when we subjected our app to…
davshowhan449
  • 361
  • 3
  • 4
20
votes
4 answers

Preventing User Enumeration on Registration Page

You have a website that users log into, and you want to prevent user enumeration. On the login page and the forgotten password page, this can be achieved by careful choice of user messages, but what about the new user registration page? You want to…
James_pic
  • 2,520
  • 2
  • 17
  • 22
15
votes
7 answers

Mitigate timing attack threat against password recovery page

We recently had an external security review performed on a public-facing website we manage. They noted that on the "recover password page", there are different response times when providing existing and non-existing usernames. They claim this could…
MEMark
  • 253
  • 2
  • 6
14
votes
4 answers

Is username enumeration practical when the username is an email address?

From what I understand it is bad security practice to display informative failed login messages like: The email you entered does not exist Instead of Incorrect email/password combination because it can lead to username enumeration. Is this is…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
10
votes
2 answers

User Enumeration Vulnerability while creating Google account

When we create a Google account, Google tells us whether an account with specified username exists or not. Doesn't that lead to user enumeration? Why not let users fill other information first, pass the CAPTCHA test, and then choose the email…
Engineer
  • 177
  • 1
  • 9
8
votes
6 answers

Forgot password and revealing whether account exists

So when you hit that forgot password link and enter your email address, it seems that sites (and other programmers I've spoken to) are one of either two mindsets; Notify the user whether or not the email address matched with one in the database and…
Stafford Williams
  • 461
  • 1
  • 4
  • 7
7
votes
1 answer

Informative error messages in password reset functionality?

When I am implementing password reset functionality I usually do not include informative messages about whether a user was found, because I have always believed that it can lead to user name enumeration. So instead of showing: Account with email…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
6
votes
1 answer

CAPTCHA enough to thwart user enumeration?

Say I have a site that has a user registration process where, when a user enters an email address already in use, an error message is displayed telling them that. This seems like a easy way to a malicious user to enumerate users. Would adding…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
6
votes
2 answers

Why do several bug bounties ignore user enumeration?

While viewing bug bounties, I noticed that most of the bug bounties list the user enumeration in the excluding list. For instance brute forcing user accounts, forget password forms would generally fall into this category. This got me thinking about…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
4
votes
2 answers

Dealing with violating privacy of registered users during failed authentication

We are forth and back discussing how to deal with privacy issues during failed authentication, password reset and account creation on a web application. Let's say I am in the process of creating an account on an application and I am using an email…
Wilt
  • 833
  • 1
  • 9
  • 13
1
2 3