prevent username enumeration

Author: cottsak

security-checklist.md

@@ -18,7 +18,7 @@
 - [ ] Set an expiration on the reset password token for a reasonable period.
 - [ ] Expire the reset token after it has been successfully used.
 - [ ] Destroy the logged in user's session everywhere after successful reset of password. 
-
+- [ ] Ensure that login and password reset pages prevent [enumeration attacks](https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)).
 
 ##### USER DATA & AUTHORIZATION
 - [ ] Any resource access like, `my cart`, `my history` should check the logged in user's ownership of the resource using session id.