Prevent user enumeration by blocking the display of all login error messages. A user attempting to login will not be aware if the account exists, an invalid user name or password has been submitted, or if the account is blocked.
Some of the messages which are hidden include:
- Sorry, unrecognized username
- Sorry, incorrect password
- Sorry, [username] is not recognized as a user name or an e-mail address.
- The account for [username] has not been activated or is blocked.
- Sorry, there have been more than 5 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.
This module mitigates a vector to collect a set of valid usernames by interacting with the login forms. It hampers attempts to use brute force testing, in which the tester verifies if, given a valid username, it is possible to find the corresponding password.
Use of this module is meant to toughen against the username enumeration test cases found in the OWASP Testing Guide Project, Testing for User Enumeration and Guessable User Account (OWASP-AT-002). It
provides similar functionality to the Username Enumeration Prevention module in Drupal.
Usage
Enable the module for full functionality. There is no configuration.
Current Maintainer
- None
Credits
- Originally added by David Norman to Drupal's Login Security module
(https://www.drupal.org/project/login_security) - Ported to Backdrop by David Norman (https://github.com/deekayen)
License
This project is GPL v2 software. See the LICENSE.txt file in this directory for
complete text.