How can I securely check if a username is already taken?

I have a form where someone can c开发者_开发问答reate a new user. I'd like to add some AJAX to check if a username is taken, as soon as the input field loses focus. I'm not really sure how to go about this, as this could pave the way to bruteforce attack, since you could check for any username and see whether or not it exists. Any suggestions?

Probably the best option is to limit, in the server-side script, the number of attempts a user is allowed to make (based on either session, or IP) to a sensible limit (ie. 10) within a 30 minute time period.

Another option would be to put a captcha on the page to ensure that the user is a human and not a bruteforcing program.

Why not

1. throttle the number of attempts a new user can make (e.g. only allow 'n' in a minute)
2. provide a mechanism to suggest available usernames based on the user's input, thus reducing the number of valid attempts a user would normally make

Instead of prompting when the input field loses focus, you can wait until after the form is submitted to check. If the username is already taken, a robust solution is to suggest alternative user names.

if you're a forum, usernames aren't private. just use server logic to limit the number of calls per minute. if you're a bank, different story; but in that case, you can assign usernames to bank accounts.

I've never done this, so just an idea. Generate some unique ID (e.g. uuid) transmitted along with form. When you check for the username include (and check for) this unique ID. Of course, this need some server side involvment, but at least you wouldn't be able directly call this function without rendering the form.

Note: For more security, you would need to update the forms unique ID everytime the user checks for a value.