How to prevent user enumeration attacks for a login system?

Question

With many websites it's possible to enumerate users with timing attacks. In other words when I try to login with a valid username I have a different response time than if I try to login with an invalid username (assuming the password is always wrong). So one solution would be that a login operation returns either with random or constant time no matter if the username is valid or invalid. How do you tackle this problem? What are the best practices?

Answer 1

Possible solutions: Say the diff between successful login and failed one is 0.5 seconds

1. Add an extra random delay to ALL requests ranging from 0.3 to 0.7. This will make it such that it's impossible to clearly detect what's a failed vs successful login. Not 100% bullet proof of course.
2. Add a random delay only on the failed end, the risk here is that if, for whatever reason the diff changes over time (say a new analytics was added to success, so now the diff is again easy to detect) would be easy to use the same attack at a later point.
3. Add random password hashing + compare operation on the failed flow. This should give the success/fail roughly a similar response time.
4. Deep dive into the diff, it might be that making the success flow much faster will reduce the risk.
5. Calculate average successful login time. Make sure no response is ever replied before this time expires.