Disclosure of usernames and user ids is not considered a weakness

Last updated on
10 August 2017

The Drupal Security Team does not consider it a vulnerability that there are ways to determine a registered members username and/or user id value (i.e. the numeric uid).

Justification for considering username/uid to be sensitive information

This information may be useful to help an attacker gain access to a site. Once an attacker knows the username they have half of the information necessary to break into a site. Many security researchers and experts consider it to be a security weakness for a system to disclose the usernames available on a site.

Drupal's philosophy

Usernames are an important part of online identity. Having a public username helps other users of a site to know the identity of the person they are interacting with in a forum or a blog. Drupal is primarily intended to be used for sites where identity and interaction are key elements so it is reasonable for that information to be public.

Potential mitigation

Administrators of sites that are concerned about this form of attack should look to increase the strength of their login process. For example, use the Yubikey or Swekey or similar modules. It is also possible to obfuscate the name used for login by displaying the real name of users with the RealName module and reduce the likelihood of username enumeration with the username enumeration prevention module.

Those interested in making usernames a more private piece of information should work on #849602: Update 'username' theme template to use 'view label' operation..