preventing sign up forms from being used for user enumeration

["Robin Wood" <dninja () gmail com>]

Hi
I'm developing a application which requires users to sign up with both
a username and an email address. I only want an email address to sign
up once and don't want duplication of usernames.

If I just put up a warning stating that an email address is already
registered if it is, the form is open to being used for user
enumeration. Apart from using things like captchas to try to defeat
automated attacks, is there any way to stop this?

I know on things like forgotten password forms you can ask for extra
info so someone guessing would have to get both bits right but I can't
think of a way to do this here.

Robin

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------