# Username Enumeration Prevention

By default Drupal is very secure (especially Drupal 7). However, there is a way
to exploit the system by using a technique called username enumeration. Both
Drupal 6 and 7 have this issue, but it is much worse for people using Drupal 6.
This is because Drupal 6 does not have any built in brute force prevention.
When an attacker knows a username they can start a brute force attack to gain
access with that user. To help prevent this, it is best if usernames on the
system are not easy to find out.

The modules provides several additional protections to prevent username
enumeration.

## Request New Password Validation

Attackers can easily find usernames that exist by using the forgot password form
and a technique called "username enumeration". The attacker can enter a username
that does not exist and they will get a response from Drupal saying so. All the
attacker needs to do is keep trying usernames on this form until they find a
valid user.

This module will stop this from happening. When the module is enabled, the error
message will be replaced for the same message as a valid user and they will be
redirected back to the login form. If the user does not exist, no password reset
email will be sent, but the attacker will not know this is the case.

For a demonstration of this, visit the password reset page at zeusarticles.com
and try to enter an invalid username. This will show you the same message as a
valid username.

## Access User Profiles Permission

If a user belongs to a role that has "access user profiles" granted to it, then
that user can serially visit all integers at the URL http://drupal.org/user/UID
and get the username from the loaded profile pages. With this permission, the
user can call the core callback at http://drupal.org/user/autocomplete/a and get
the usernames. Replacing the "a" with each letter of the alphabet, prints an
array of usernames.

Installing this module on a site will notify site administrators whether this
issue is present or not, via the Status Report page (Home » Administration »
Reports » Status report).

## Views

If a site has the views module installed then views exposes an autocomlete
callback which can be similarly be enumerated with letters of the alphabet to
get all the usernames.
See http://drupal.org/admin/views/ajax/autocomplete/user/a for an example.
This callback doesn't have any access restrictions assigned by the views module.

Installing this module will make the views autocomplete callback require the
"access user profiles" permission. This will prevent anonymous users from
accessing the callback as long as the anonymous user role does not have "access
user profiles" enabled.

If any of the two issues above exist then the module will notify the site
builder when the module is enabled.

## Other

Note: There may be other places where usernames could be exposed that this
module may not know about. Examples are the "submitted by" information on nodes
or comments, views, exposed filters or by other contributed modules. Users
looking to hide the usernames from comments and nodes should look at using
realname or some other tool.

## Installing Username Enumeration Prevention:

Place the entirety of this directory in
sites/all/modules/username_enumeration_prevention. Navigate to Administer >>
Build >> Modules. Enable Username Enumeration Prevention.
