Back to Glossary

Glossary Term

Account Enumeration

Attackers probe authentication responses to confirm which accounts exist so they can target them directly.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Account Enumeration

1-minute read

What it is

Account Enumeration is a technique attackers use to determine whether a specific user account exists within an application. The signal may come from differences in error messages, HTTP codes, password-reset flows, or timing variations during authentication attempts.

Why it matters

Once attackers confirm which accounts are valid, they can focus on real users instead of guessing blindly. That dramatically increases the success rate of brute-force attacks, credential stuffing, targeted phishing, and social-engineering campaigns. Enumeration often becomes the silent first step in account takeover incidents.

How to reduce risk

  • Use identical, non-verbose error responses for all authentication failures
  • Normalize response times for valid and invalid accounts
  • Apply rate limiting, monitoring, and alerting to login and recovery endpoints

Related Terms: Credential Stuffing, Brute-Force Attack, Phishing

External Resources:

  • OWASP – Account Enumeration: https://owasp.org/www-community/attacks/Account_Enumeration
  • OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html