Is it unsafe to show message that username/account does not exist at login?

This is a consideration between security and usability, and therefore there is not really a right answer here. So here follows my opinion.

If you can keep usernames secret, then do so. In this case there is no way to figure out whether a username exists, and the login reacts the same whether a user exists or not. Note that this also means taking the same amount of time to return an error message.

This behavior may not be possible. For example if users can register themselves and choose their own username, you have to notify them when a username already exists in the system. If this is the case, make the login as easy to use as possible by providing the most detailed error message. If someone can figure out whether a user exists using the registration function, there is no use in hiding this at the login.


It's not the only OWASP guideline that is not followed by big players. OWASP often focuses on security and ignores usability. It can be a valid design choice if combined with a decent password policy, brute-force protection (lockout, captcha,..), MFA, monitoring failed login attempts, etc.

Take into account that user enumeration isn't just the problem of being able to guess user accounts which you can later brute-force for authentication. Some sites should protect the privacy of their users (adult, political parties, dating, ...). If I want to check if my boss is using an adult website I can misuse a user enumeration vulnerability to know what sites he is using.


You just can't prevent it. (Unless you're ready to sacrifice a significant amount of usability.)

User enumeration can be undesirable and there are indeed potential security implications (e.g. if an attacker finds out there is a valid account named admin which they might try to access). But for large sites it's something you can't stop from happening.

Even if you don't reveal during login that a user doesn't exist, you will eventually have to warn new users when they attempt to register an already taken name or with an already used e-mail address.

There is no user-friendly way around this:

Create your Google Account

Tags:

Authentication

Account Security

User Enumeration

Related

Is checking the Referer and Origin headers enough to prevent CSRF, provided that requests with neither are rejected? Why can't Let's Encrypt support wildcard certificates? Risks of explicitly trusting SSL certificate vs relying on certificate chain for validation? Forgot your password: "New password must have a minimum of 4 characters different from the previous password" Why should I offer HTTP in addition to HTTPS? How to determine and control extent of data passing through VPN connection? Why JMP ESP instead of directly jumping into the stack Store encrypted user data in database Does a compromised kernel give complete control over a device? What's the difference between end-to-end and regular TLS encryption? Should I reject a CSR when the host emailed me the private key for SSL certificate request? Why are SSL certificates an annual expense?

Recent Posts