Regarding #1, telling the user that their login failed doesn't eliminate their ability to enumerate existing usernames. All they have to do instead is attempt to register a new account with the username they're testing. At some point, the site will have to tell them that the username already exists.
#2-#5 are all good points, though, and would help prevent username enumeration as well.
Regarding #1, telling the user that their login failed doesn't eliminate their ability to enumerate existing usernames. All they have to do instead is attempt to register a new account with the username they're testing. At some point, the site will have to tell them that the username already exists.
Agreed, but I would lean towards giving the bad guys as few tools as possible. If you require a captcha to register, and if you limit the number of registration attempts, you can also cut down on that channel.
That's not to say that this stuff is the be all / end all of course. It would probably be better to eliminate username/password combos altogether and do everything with keypairs, but until that day comes...
Except you aren't really limiting the tools available to the bad guys, you are just making the UX worse. I find this 'best practice' annoying design and doubt that it has mitigated any attacks.
#2-#5 are all good points, though, and would help prevent username enumeration as well.