Skip to content
/ drupal-username_enumeration_prevention Public

Development repo for drupal.org/project/username_enumeration_prevention

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nicksantamaria/drupal-username_enumeration_prevention

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits
.circleci
.circleci
 
 
src
src
 
 
tests
tests
 
 
.editorconfig
.editorconfig
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
username_enumeration_prevention.info.yml
username_enumeration_prevention.info.yml
 
 
username_enumeration_prevention.install
username_enumeration_prevention.install
 
 
username_enumeration_prevention.module
username_enumeration_prevention.module
 
 
username_enumeration_prevention.services.yml
username_enumeration_prevention.services.yml
 
 

Repository files navigation

Username Enumeration Prevention

Branch Build Status
8.x-1.x CircleCI
7.x-1.x CircleCI

Username Enumeration Prevention is a project which aims to mitigate common ways that anonymous users identifying valid usernames on a Drupal site.

What Is Username Enumeration?

Username enumeration is a technique used by malicious actors to identify valid usernames on a web application, which can then be used in other attacks such as credential stuffing.

What does Username Enumeration Prevention do?

  • Provides warnings on admin status report if site is configuration could expose usernames (7.x, 8.x)
  • Prevents password reset form from displaying the following messages (7.x, 8.x)
    • '%name is blocked or has not been activated yet.'
    • '%name is not recognized as a username or an email address.'
  • Converts 403 Access Denied responses to 404 Not Found on user profiles. (7.x)

Additional Notes

Enabling this module is one step to preventing the usernames on the system from being found out but there are other known methods that are just as easy.

  • If a user belongs to a role that has "access user profiles" granted to it, then that user can serially visit all integers at the URL http:https://drupal.org/user/UID and get the username from the loaded profile pages.
  • "submitted by" information on nodes or comments, views, exposed filters or by other contributed modules can also expose usernames. Site builders looking to hide usernames from comments and nodes should look at using realname or some other tool.
  • Browser autocompletion on the user login page can be disabled using the Security Kit module.
  • The Drupal security team does not consider username enumeration a vulnerability.

Core Issue

Anyone looking to contribute to this project should first review the core issue and see if there is any way they can help push that forward.

Get Started

Composer

  • Add the project to your project's composer dependencies. 
    composer require "drupal/username_enumeration_prevention"
  • Navigate to Administer >> Extend.
  • Enable Username Enumeration Prevention.

Manual

  • Place the entirety of the module directory in modules/contrib/username_enumeration_prevention.
  • Navigate to Administer >> Extend.
  • Enable Username Enumeration Prevention.

Contribute

Development of this module takes place on GitHub.

About

Development repo for drupal.org/project/username_enumeration_prevention

Topics

drupal drupal-7 drupal-8 drupal-6

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

7.x-1.3 Latest
Jul 6, 2018

Packages

No packages published

Contributors 2

  •  
  •  

Languages