Are pre form submit DB look ups bad?

Question

In my registration form I have an ajax db lookup for emails and username on input focus out. . Is that a bad idea? why? I also plan to attach a lockout if user lookups > allowed lookups.

Answer 1

No, it is not a bad idea. At the contrary, it improves the user experience and reduces the bandwidth usage compared to if you had to submit the entire form just to tell the user that the email is already taken. All major websites do it. Take for example Google's registration form: https://accounts.google.com/SignUp?continue=https%3A%2F%2Fwww.google.com%2F&hl=en

Answer 2

This could lead to a User Enumeration vulnerability - i.e. an attacker could easily harvest a known list of usernames and email addresses from your system via brute force or by testing another list of usernames and email addresses to find out if they are active users.

You mention adding a lockout, but by what criteria will you determine the number of user lookups attempted? Grouping by cookies or session would be insecure because an attacker could simply clear their cookies or start a new session. IP would be a better way (e.g. 10 lookups allowed per unique IP per 30 minutes), but as an attacker could use a distributed attack they could cirumvent this method.

Please see my answer here for a more secure way if this is a concern for your system. This involves the user entering their email address only on a form that will continue the registration process by a link sent to this address. If you did this as your first step, then you would know which usernames have been attempted by this user on the next step, as these lookups would then be associated with the entered email address, and you could limit the number of username lookups by unique email. This would make it difficult for an attacker to enumerate the usernames and almost impossible to enumerate email addresses.