spec checked
OWASP Authentication Cheat Sheet account enumeration guidance
Documents authentication response design that avoids user enumeration, including account registration responses where an existing user should receive a neutral activation-link message rather than a direct account-exists disclosure.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Account creation | Choose account creation when a persistent account is required for repeated access, saved data, account management, security, authorization, legal accountability, or returning to drafts. | The flow states why the account is needed before asking for credentials. | OWASP supports neutral account-registration responses that avoid exposing whether an account already exists. |
| Confirm email | Choose confirm email when the service must prove that the user can access the mailbox for account activation, recovery, sensitive notifications, invitation acceptance, or a verified contact route. | The confirmation page states which email address is pending and why access to that mailbox is required. | OWASP supports neutral registration and activation responses where account enumeration risk exists. |
| Login | Choose login when the user has submitted credentials or an authenticator and the UI must show the result, next retry, lockout, or session-created state. | Submitting credentials enters one clear verifying state and prevents duplicate submissions until the login result returns. | OWASP supports generic authentication responses to avoid account enumeration. |
| Password reset | Choose password reset when an unauthenticated or partially authenticated user needs to regain account access by proving control of a recovery channel and setting a replacement password. | Submitting an identifier always leads to the same visible confirmation, regardless of whether an account exists. | OWASP supports neutral authentication and recovery responses that avoid account enumeration. |
| Sign in | Choose sign in when the user needs to start or restore an authenticated session for an existing account. | The sign-in form identifies the protected service or destination before requesting credentials. | OWASP supports generic authentication failure responses that do not disclose whether an account exists, is locked, or has a wrong password. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Cheat Sheet Series. Last checked: .