22

You have a website that users log into, and you want to prevent user enumeration.

On the login page and the forgotten password page, this can be achieved by careful choice of user messages, but what about the new user registration page? You want to ensure that creating an account for an existing user is impossible, but this tells an attacker that the account already exists, allowing enumeration.

What mechanisms can be used to prevent user enumeration on new user registration?

James_pic
  • 2,540
  • 2
  • 18
  • 22

4 Answers4

20

Since the username is the public part, it isn't the end of the world if it can be enumerated, however if you really do want to avoid this, the easiest thing is to have them use e-mail address as the username. Then you simply say that you sent a link to the e-mail no matter if they have an account already or not.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
5

An option is to use captcha. The the username can be verified after a submission and the captcha is updated if the username is already taken. This at least should slow down the process.

I think there are other options, but they are complex (for example have a exponential time to return the page after a submission for a duplication user) or could render the application unusable (block user for a an amount of time after X attempts).

If you're using emails as usernames, then the 2nd option is not that bad.

HocusPocus
  • 472
  • 2
  • 8
  • 3
    "and the captcha is updated if the username is already taken." - Now you can enumerate usernames by checking to see if the captcha is updated. – cytinus Dec 05 '18 at 17:09
0

User enumeration is not so evil. Username is public part, password is secret. For example, on this page we all can know that user James_pic exists on stackexchange. Googling or writing simple crawler can easily give attacker great number of usernames, helping to narrow attack, but other security measures still making attackers task very hard.

Idea is to have security policy (at least unwritten, in mind), separate public and secret things and focus efforts on securing what must be secret. If you want to use username as 'second part of secret', thats probably wrong way, better require two times longer passwords, or two factor authentication, because keeping usernames in secret is much harder.

If for some reason you need to keep usernames secret too (for example, you dont want anyone to know how many users registered) - then maybe better to assign username yourself (e.g. userNNNNN, or user-<10 random letters>) or use apprach with email or phone number as username.

yaroslaff
  • 59
  • 3
  • The site in question is an eCommerce site, so there's no reason for one user to know about another. On one level, I suspect you're right (the question was prompted by a security audit, and I suspect the auditor was getting paid by the finding), but is there a general solution to the problem? – James_pic Oct 10 '14 at 12:45
  • 6
    For enterprise software, user enumeration can become more sensitive. It can provide some phishing targets to let you get access to the organization as a whole. – Zak Kus Oct 24 '14 at 00:15
  • -1: It can be pretty evil, depending on people's varying sensitivity to their own privacy. Think of a dating website. – Jan Żankowski Feb 24 '21 at 10:34
  • If you’re very sensitive to your own privacy you won’t use firstname_lastname as a username on a dating website where anyone can find you. – bfontaine Nov 04 '21 at 15:06
  • 1
    That was not the question. This question asks how to prevent user enumeration, not what the impact of user enumeration is. (Off-topic: I used to think the same as you, but since learning how we practically do attacks in simulations, I found that having a username helps to search data dumps and try some likely passwords, whereas without username you might be barking up the wrong tree altogether so you have to multiply these attempts by a ton of possible usernames.) This is the relevant question: https://security.stackexchange.com/questions/4729/should-usernames-be-kept-secret – Luc Nov 16 '21 at 10:19
  • Old post, but want to point out the fact that you cant login with a username for stack exchange. – codewizard Jan 06 '22 at 22:37
-3

Another option is to use the same approach as login screen: Tell them theres something wrong, but not whats wrong.

Here is a example error message:

"A error occured with your registration. The cause of the error can be:
- The username is invalid or is already taken. Select Another username.
- The password is of a invalid length. Use a longer password.
- Both passwords do not match. Retype your passwords to ensure you entered them correctly.
- The email adress you entered is already registred or is invalid. Use a Another email adress.
- The captcha is invalid. Write the response for the captcha correctly.
- You have not agreed to the terms of service. Make sure you agree to the terms of service and check the applicable checkbox below.

Correct any errors in registration and try again. We do not disclose the reason why the registration failed for security reasons."

This can be negative to user experience because they dont know why their registration is rejected. But sometimes, user expericence has to be traded for security.

sebastian nielsen
  • 8,799
  • 1
  • 19
  • 33
  • This one works well when there's no way for the user to know which field is wrong - so it works well when there's a username and an email, but less well when the user can verify all the fields but the username (for example if the password requirements are detailed on the page). Also, I've heard of sites requiring each user to have a unique password, and whilst that's not necessarily a good idea, it would work well with this. – James_pic Oct 14 '14 at 15:14
  • 9
    This doesn't prevent enumeration, it'll just annoy new users who don't know why their form was rejected. An attacker will quickly learn how to script the form submission to always be valid in every field except the username they wish to test for existence. – perfectionist Oct 06 '15 at 16:44