The present invention is related to the field of user authentication in computer systems. Computer systems generally, and in particular computer systems providing services over publically accessed networks, are vulnerable to a variety of attacks by which an attacker obtains unauthorized access to system resources. One type of attack, which may be used as a prelude to other, more targeted attacks, is an enumeration attack in which an attacker makes a series of attempts to access a system and observes the system's response so as to glean information about system resources. One well known example involves enumeration of account identifiers (IDs). An attacker generates a series of system login requests containing guessed-at account IDs that may or may not match valid IDs of accounts of the system. If the system responds differently to login attempts containing IDs that match valid IDs than to login attempts containing IDs that do not match valid IDs, then by observing this differential behavior the attacker learns or “enumerates” the accounts existing in the system. This specific information can then be used in subsequent attacks that are more targeted to the specific existing accounts.