User enumeration

We often get the hint from bounty hunters that when submitting a wrong user/password combination that the error message tells the hacker, if a user name is valid or not.

First, the same can be achieved by signing up a new user and test if the username is already taken.

Secondly a rate limiter prevents a single IP from brute forcing the password forget, login and sign up page.

So there is no point in obfuscating if a username is correct on the forgot password page if you can get the same information on the sign up page.

On the other hand if we do not display that information we get a significantly higher number of support requests of users asking if we can help finding out their user name because the do not know which email address they have used.

Providing the information if a user name is correct or not gives a much better user experience because a user instantly knows that he has used the wrong user name and he can try another one before contacting the support which involves in a waiting time.