Celebrate 20 years of Drupal with us! April is DrupalFest, a month-long series of virtual events focused on community, contribution, and the positive impacts made possible with Drupal.
By nicksanta on , updated
Username Enumeration Prevention is a project which aims to mitigate common ways of anonymous users identifying valid usernames on a Drupal site.
What Is Username Enumeration?
Username enumeration is a technique used by malicious actors to identify valid usernames on a web application, which can then be used in other attacks such as credential stuffing.
What does Username Enumeration Prevention do?
- Provides warnings on admin status report if site is configuration could expose usernames
- Prevents password reset form from displaying the following messages
'%name is blocked or has not been activated yet.''%name is not recognized as a username or an email address.'
- Converts 403 Access Denied responses to 404 Not Found on user profiles.
Additional Notes
Enabling this module is one step to preventing the usernames on the system from being found out but there are other known methods that are just as easy.
- If a user belongs to a role that has "access user profiles" granted to it, then that user can serially visit all integers at the URL http://drupal.org/user/UID and get the username from the loaded profile pages.
- "submitted by" information on nodes or comments, views, exposed filters or by other contributed modules can also expose usernames. Site builders looking to hide usernames from comments and nodes should look at using realname or some other tool.
- Browser autocompletion on the user login page can be disabled using the Security Kit module.
- The Drupal security team does not consider username enumeration a vulnerability.
Core Issue
Anyone looking to contribute to this project should first review the core issue and see if there is any way they can help push that forward.
Get Started
Composer
- Add the project to your project's composer dependencies.
composer require "drupal/username_enumeration_prevention"
- Navigate to Administer >> Extend.
- Enable Username Enumeration Prevention.
Manual
- Place the entirety of the module directory in
modules/contrib/username_enumeration_prevention. - Navigate to Administer >> Extend.
- Enable Username Enumeration Prevention.
Contribute
Development of this module takes place on GitHub.
- If you encounter issues, please search the backlog.
- Please create issues and feature requests in GitHub.
- Even better, feel free to fork this repo and make pull requests.
Supporting organizations:
Project information
Maintenance fixes only
Considered feature-complete by its maintainers.- Module categories: Security, User Access & Authentication
23,491 sites report using this module
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Downloads
8.x-1.2
Requires Drupal: ^8 || ^9
✓ Recommended by the project’s maintainer.
⬇ Download tar.gz (10.07 KB) | zip (12.63 KB)
Development version: 8.x-1.x-dev updated 24 Sep 2020 at 02:02 UTC
- Testing result: PHP 7.3 & MySQL 8, D8.9.13 16 pass all results
7.x-1.3
Requires Drupal: 7.x
✓ Recommended by the project’s maintainer.
⬇ Download tar.gz (9.17 KB) | zip (10.9 KB)
Development version: 7.x-1.x-dev updated 6 Jul 2018 at 15:48 UTC
- Testing result: PHP 5.6 & MySQL 5.5, D7 6 pass all results
