Preventing User Enumeration on Registration Page

Since the username is the public part, it isn't the end of the world if it can be enumerated, however if you really do want to avoid this, the easiest thing is to have them use e-mail address as the username. Then you simply say that you sent a link to the e-mail no matter if they have an account already or not.


An option is to use captcha. The the username can be verified after a submission and the captcha is updated if the username is already taken. This at least should slow down the process.

I think there are other options, but they are complex (for example have a exponential time to return the page after a submission for a duplication user) or could render the application unusable (block user for a an amount of time after X attempts).

If you're using emails as usernames, then the 2nd option is not that bad.