Yep - I just return a message along the lines of "If your email address was found in our database we have sent you details on how to reset your password." regardless of if it was found or not.

The problem is they can just 'brute force' the usernames on the sign up page - so you are not really stopping the exposure of usernames to brute force. i.e. try and sign up using different email address will often return validation errors that "the username is already in use".

They can then use this information when trying to brute force the password.

All you are going to really achieve is to annoy users who cant remember their details, and risk them leaving your website.

So I dont think its worth the worry. You would be better spent forcing a good password with password security rules. Maybe even have a list of the top 100 passwords and dont let people choose one of those. Because anyone who tries to brute force a password will just start with that anyway...

The other option is to throttle login attempts per username/IP etc...

TheShiftExchange said:

The problem is they can just 'brute force' the usernames on the sign up page - so you are not really stopping the exposure of usernames to brute force. i.e. try and sign up using different email address will often return validation errors that "the username is already in use".

They can then use this information when trying to brute force the password.

I agree, however in my situation users are registered outside of the web app so this isn't an issue for me