Re: preventing sign up forms from being used for user enumeration

[Nathan Bijnens <nbijnens () servs eu>]

Let people enter an email address. If it isn't used mail them with a
unique link to continue the registration process. If it is allready used
don't send a mail?

Robin Wood wrote:
> Hi
> I'm developing a application which requires users to sign up with both
> a username and an email address. I only want an email address to sign
> up once and don't want duplication of usernames.
>
> If I just put up a warning stating that an email address is already
> registered if it is, the form is open to being used for user
> enumeration. Apart from using things like captchas to try to defeat
> automated attacks, is there any way to stop this?
>
> I know on things like forgotten password forms you can ask for extra
> info so someone guessing would have to get both bits right but I can't
> think of a way to do this here.
>
> Robin
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing business online 
> despite security executives' efforts to prevent malicious attacks. This 
> whitepaper identifies the most common methods of attacks that we have 
> seen, and outlines a guideline for developing secure web applications. 
> Download today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
> --------------------------------------------------------------------------

--
Nathan Bijnens | Zaakvoerder | nbijnens () servs eu | +32 486 15 88 29
Servs BVBA | http://servs.eu | BTW BE 0888 048 856 | 001-5180517-17

Attachment: nbijnens.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature