Username Enumeration Prevention
Mitigates username enumeration attacks by suppressing error messages on password reset forms and converting 403 Access Denied responses to 404 Not Found on user profile routes.
username_enumeration_prevention
Install
composer require 'drupal/username_enumeration_prevention:8.x-1.4'
composer require 'drupal/username_enumeration_prevention:8.x-1.3'
Overview
Username Enumeration Prevention is a security-focused module that protects Drupal sites from username enumeration attacks. Username enumeration is a technique used by malicious actors to identify valid usernames on web applications, which can then be used in downstream attacks like credential stuffing, brute force attacks, or social engineering.
The module works through two primary mechanisms: First, it modifies the password reset form to prevent it from displaying messages that reveal whether a username or email address exists in the system. Messages like "%name is blocked or has not been activated yet" and "%name is not recognized as a username or an email address" are suppressed from end users while still being logged for administrators. Second, it implements an event subscriber that converts HTTP 403 Access Denied responses to 404 Not Found responses on all user-related routes, preventing attackers from distinguishing between non-existent users and users they simply cannot access.
The module also provides runtime status report warnings if anonymous users have the "access user profiles" permission, as this configuration would bypass the module's protections.
Features
- Suppresses error messages on the password reset form that could reveal valid usernames or email addresses
- Converts 403 Access Denied HTTP responses to 404 Not Found on user profile and user-related routes
- Logs blocked user password reset attempts for administrative review without exposing information to attackers
- Maintains flood protection functionality while suppressing flood-related error messages that could aid enumeration
- Provides runtime requirements check warning if anonymous users can access user profiles
- Supports Drupal 9.5, 10, and 11
Use Cases
Preventing Password Reset Enumeration
When an attacker attempts to enumerate valid usernames by submitting the password reset form with various usernames, they normally receive different messages for valid vs invalid usernames. With this module, all submissions receive the same response regardless of whether the username exists, is blocked, or is invalid. This prevents attackers from building a list of valid user accounts.
Protecting User Profile URLs
Without this module, an attacker could enumerate valid user IDs by visiting /user/1, /user/2, etc. - existing users would return 403 Access Denied while non-existent users return 404. With this module, both scenarios return 404, making it impossible to distinguish between them.
Compliance with Security Standards
Organizations following security standards like OWASP guidelines that recommend preventing user enumeration can implement this module as part of their security hardening strategy.
Protecting Against Credential Stuffing Preparation
Attackers often enumerate valid usernames before launching credential stuffing attacks. By preventing username enumeration, this module makes it more difficult for attackers to prepare targeted attacks against known valid accounts.
Tips
- Review Views and content display settings that might expose usernames through 'Submitted by' information on nodes and comments
- Consider using the Security Kit module to disable browser autocompletion on login forms
- Remember that the Drupal Security Team does not consider username enumeration a critical vulnerability, but it can be a concern for high-security sites
- The module logs blocked user password reset attempts - review your logs periodically for suspicious activity
- Test the module's effectiveness by attempting to reset passwords for non-existent and blocked users from an anonymous session
Technical Details
Hooks 2
hook_form_user_pass_alter
Alters the password reset form to add custom validation that suppresses username enumeration error messages
hook_requirements
Implements runtime requirements to check if anonymous users have the 'access user profiles' permission, which would bypass the module's protections
Troubleshooting 4
Check the status report at /admin/reports/status. If it shows a warning about anonymous user profile access, remove the 'access user profiles' permission from the anonymous role at /admin/people/permissions.
The module does not prevent password reset emails from being sent to valid users. If emails are not being sent, check your mail system configuration, spam filters, and ensure the user account exists and is active. The module only suppresses error messages, not the actual functionality.
This is expected behavior. The module intentionally suppresses flood control messages because they could reveal that a username is valid (an attacker would know they hit a valid user if they get rate-limited). Flood protection still works server-side.
If your site requires anonymous users to view profiles, understand that this creates an inherent username enumeration vulnerability that this module cannot fully mitigate. Consider whether this permission is truly necessary for your use case.
Security Notes 5
- Users with the 'access user profiles' permission can still enumerate usernames by visiting /user/UID URLs - the module can only convert 403 to 404, not prevent access entirely
- The 'Submitted by' information on nodes and comments can expose usernames - consider adjusting display settings or using format_username hooks
- Views displaying user information can expose usernames - audit your Views configurations
- Browser autocompletion may reveal usernames - use Security Kit module to disable this feature
- This module addresses one vector of username enumeration; a comprehensive security strategy should address all potential exposure points