Anyone who has returned to a website and forgotten which username they used to sign up with knows the pain of being prompted with a generic error message.

Invalid username or password

If a user has four common usernames and four common passwords, that is sixteen combinations that they could have to try. Unless they really want back into your site, you have more than likely just killed the user’s engagement. If you would let them know if a username exists in your application, you would cut out more than half of those attempts.

“What? You can’t give attackers that information. You are doing half of their work for them!”

This argument only works if the login page is the only place that username enumeration is possible, but that is hardly ever the case.
Most websites are going to have at least one of the following:

  • Comments and postings that include the username as the author
  • User profile pages
  • Registration page
  • APIs that allow for easy scripting

If your application has even one of these things, then giving a crappy vague error message on the login is simply a case of cargo cult programming.

“Pfft. My application doesn’t have any of those things.”

There are websites that don’t have profile pages, don’t allow public registration, and don’t have user posted content, but those are the exception and not the rule. If your application falls in this category, and your customer list has a legitimate need to be private, then by all means, give vague error messages.

“What in the heck am I supposed to do to my login page protect my user list?”

You should be rate limiting any page that allows for the enumeration of your users. Hiding behind a vague error message on your login screen is doing a disservice to your users.