Is there a security reason not to reveal the existence of a user ID?

Question

I've noticed that on some sites, when you request a password reminder or sign in, they'll tell you if the user doesn't exist (I think Meetup does this). Other sites will simply say "the user/password combination is invalid" (Google, I believe, does this).

Is there a security reason for not revealing the existence of a user id?

Answer 1

Yes there is.

You want to give attackers as little information as possible

If an attacker knows a username, they can attempt to attack that users email account. for example, if I know your login is [email protected] I can attempt to break into your gmail account. They can also see what other sites you might registered at, and attempt to break into those sites (perhaps a site author didn't properly secure their db), and steal a password and attempt to use this password against other sites that [email protected] is registered at.

If the attacker doesn't know what a valid username is, they essentially have to crack a password that is essentialy: Username.Length + Password.Length long, which increases the time it takes to crack an account.

Answer 2

Yes: don't give any password generating bots a reason to try to crack that account.

Edit: Also I imagine, you can't contact them and claim that your email account was hacked on that user account and give a new (fake) address.

Answer 3

Besides the other reasons given, apart from hacking attempts, there can be a privacy concern. Sometimes the userid can be related to the person: when the user has a standard nick that uses in many sites, or when he uses a full -and uncommon- name; or, more critically, when the userid corresponds to a document number -as some e-banking sites do. Giving freely that info (efectively telling everybody "this userid is in my database") could be an serious privacy issue.

Answer 4

No, there isn't a good security reason for it. There are security reasons for it - just not good ones.

The same answer has been given here and elsewhere over and over: it gives the attacker extra information and you want to give them as little as possible. This only works against stupid attackers and they are not the ones you have to worry about. There is a major flaw with this argument - both from a theoretical and a practical perspective.

The username can often be checked in other ways anyway (practical)

The example of email is particularly ironic, since the entire point of an email address is to give it to other people, so that they can email you. Email addresses are not secret. (Of course, you would not want to give a list of addresses that exist, but saying whether the given address exists or not is a different matter.)

In cases other than email you can often check for a username by attempting to register with it. If the username already exists the system has no choice but to tell you so! Even if it tried to be coy about it and gave you a generic error an attacker with half a brain would still figure it out, while normal users would be annoyed at not being able to register and leave.

The username is not a secret (theoretical)

In security it is important to define what is a secret and what isn't. If people believe the username is secret and it isn't that's a problem - they have the illusion of security, which is worse than no security. The user needs to be clear on this: the password is secret, the username is not. Even if you are not aware of any ways to obtain the username you cannot rely on the fact that maybe someone who has your password won't have your username. If your password is compromised it's all over.

Since the username typically cannot be truly secret (it identifies the user, after all) it can become a "half-secret": something that's not usually revealed, but is if you push hard enough. People will often think that two "half-secrets" make a secret - but they don't. Of course, they don't think of it in those terms. Instead they will think "it's not so bad if I have an easy PIN, because nobody can use it without my bank card anyway" and separately think "it's not so bad if I lose my bank card, because nobody can use it without the PIN anyway".

Even if the username was a secret it would not improve security. Why not? Because you now simply have two passwords. Two passwords is not "defence in depth" - it is simply one password that has been split into two parts (one of which is quite easy to compromise). It's less effective than just making the password twice as long (or twice as complex).