Security risk in exposing email addresses and usernames?

Question

Joomla has a built-in function on its login screen "I've forgotten my user name", so that you can type in your email address and the username is sent to you via email.

I was thinking of changing it so that the username was displayed on screen immediately, without any form of authentication. This would greatly reduce the friction for our users who are returning after a long while, but it would allow anyone to type in any email address and see the associated username (definitely not the other way around though).

Does this create any security risks? Is it a good idea at all?

Answer 1

The current implementation requires the user to own the email address, and read the resulting email, to retrieve the username.

Your implementation lets an attacker know immediately which username is connected to an email address. So if the attacker knows a person's username, it's possible to guess at email addresses.

Worse, suppose the attacker somehow knows the password but not the email address. After successfully guessing an email address, it's a reasonable guess that the password for the email account is similar to the password for your web site. So you've helped the attacker hijack the email account, which may contain more information about additional accounts, and so on.

In general, changing any security-related functionality to make things "easier" than the standard implementation probably incurs a security risk. +1 for researching via SO before implementing!

Answer 2

At first glance, it seems like a "bad idea" because you are allowing anyone to:

1. verify an account exists
2. confirm the association between a username and an email address

If usernames and mail addresses are treated as "private" information on your site and not already shared, then I would not implement the username lookup by email feature. In effect you are lowering the security bar by 1 factor:

• Currrently, looking up the username requires both email address and the user's full mail credentials (so they can pick up the reply)
• After the change, all they need is the mail address.

Perhaps more significantly, you create a privacy issue that would need to be addressed (as mentioned by @SoapBox).

But in reality, your site might already employ "username" as a public handle or nickname. And you may already have users publishing their email in their profiles. If this is the case, the username lookup doesn't leak any new information and you could argue no new security or privacy issues are created.

It would make it all a little too easy though, like publishing the script kiddies guide on how to hack my site:

1. Get a list of email addresses from your preferred supplier
2. Come to my self-service mail-to-username translation page and run the list through (simple script for this)
3. Launch dictionary attack on the site using the resulting list of usernames

Bottom line - I think you are best to leave this feature as-is.