We have functionality on our registration form that uses an AJAX call to check whether a username is available.
It’s quite straight forward
- Make a call to our service
- Check username against database
- If record of username found, return taken, otherwise return available.
We execute the call to our service once a user stops typing for a couple of seconds.
Our problem however, is that an attacker could use some means of brute force on our service and compile a list of all our usernames.
Does anyone know of any good ways to help prevent this sort of “attack”?
The only one I could think of was asking for a Captcha up front, but that wouldn’t be a good user experience and might put people off filling out our form.
If it helps at all, we’re using ASP.NET MVC, C#, SQL Server.
Any help would be greatly appreciated, thanks!
I suppose the best way is to rate limit it, either by allowing a user only a certain number of requests or by adding a 0.5-1 second waiting time onto each request. By doing either of those it’ll become much harder for an attacker to enumerate a decent number of usernames in a reasonable amount of time.
I think a better way of securing your application however would be to treat it as if everyone already has a list of your users and work from there. Assuming an attacker knows all your users, how would you protect against brute force attacks? By rate limiting password attempts. By allowing only a few password attempts per 10 minutes or so, you will secure your application’s users substantially.
Personally I believe that all passwords that are non-obvious (such as “password” and “qwerty”) ought to be secure – for example, “soccerfan” should be a secure password. Why? Because you aren’t going to guess “soccerfan” immediately. It’ll maybe be 100th or so in your brute-forcer’s dictionary and by the time they’ve guessed attempted to login with anywhere near that amount they should be banned and the user should have been notified. (By the way, I’m not suggesting people should use such passwords, the more complex the better).