1. 16

  2. 1

    I get that leaking associated contact info and potential passwords is bad but the author seems really against username enumeration. However, I don’t see how that’s avoidable. If usernames are unique, then there’s probably some preemptive username availability checker that will help you enumerate. Even if there isn’t, you can just automate account creation and if you’re rejected because a username exists already, then you hit a collision.

    1. 1

      You can make it much harder.

      First of all, you can set rate limits to make username enumeration by account creation infeasible.

      Second of all, you can do away with usernames in favor of emails, at which point you don’t need to worry about notifying the web page user that account creation failed; just send an email saying that the account already exists, but that doesn’t pose an enumeration risk because the information is only available to someone who has access to the email. I guess if you and your spouse both sign up for Ashley Madison using your shared email, that’s a problem, but I think you have bigger things to worry about in that case.