This page indexes all the ways I can infer: InfeRence Index.

  1. Templating
    • Eg. username guessing by knowing that it always follows the form, firstname.lastname@company.com
  2. Reality Byproduct
    • Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.
  3. The startup time of a desktop app tells us how much functionality it has.
  4. Response time
    • Try to make the response time longer for valid usernames, by increasing the password length, which will increase the hashing time?
  5. Name Reason
    • What's the reason behind the name?