username enumeration

[ep0ch]

When trying to log in with an invalid username the following message is displayed:

"The Display Name or Email Address you entered does not belong to any account. Make sure that it is typed correctly."

This is a security issue as usernames/email addresses can be enumerated. It also means attackers can lock accounts out.

I recommend this message and the invalid password message are the same. 

ps. i'm surprised your external security audit hasn't picked this obvious one up? it usually comes up as a high/critical on security reports we've had. 

[MADMAN32395]

Not really a security issue. Just a troll thing. As end user can just either enter correct password to undo lock or reset their own password.

[ep0ch]

Entering the correct password doesn't unlock?

There's 2 issues with username enumeration:

1. An attacker now knows valid usernames/emails and can then brute force an account or go phishing.

2. An attacker can perform an easy DOS and keep locking accounts out - i'm sure "admin" is a very well used username!

[Colonel_mortis]

Usernames can already be obtained by looking at the site - login usernames are the same as display names. However, email enumeration (or, more to the point, revealing that the owner of that email has an account on the site) is not ideal, so I agree that it would be a good idea to change the message to just "your username or password was incorrect". It isn't a high priority issue (in this case) though, just not best practice.

Accounts are only locked out per IP address, so unless you're in the same network as the person you're locking out, it won't affect them.

This should probably be in Product Feedback though.