If you are not already familiar with the concept, please see the article entitled “What Is Account Enumeration ?”
For insight into how to detect Account Enumeration, please see the article entitled “How To Test For Account Enumeration“.
Preventing Account Enumeration
Avoiding Account Enumeration vulnerability in your application is truly simple: return the exact same response (right down to the number of bytes) when authentication fails regardless of whether it is due to an incorrect account identifier or incorrect password, or both. Extend this idea into multi-factor authentication.
Do not succumb to the idea that you are doing your end-users a service by communicating any more information about why authentication failed.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.