diff --git a/change.go b/change.go
index d915aba..4e33727 100644
--- a/change.go
+++ b/change.go
@@ -81,6 +81,8 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 			renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
 		} else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil {
 			log.Println(err)
+			// User not found: perform a dummy bind to prevent username enumeration via timing.
+			conn.Bind("cn=dummy,"+myLDAP.BaseDN, r.PostFormValue("password"))
 			renderError(http.StatusUnauthorized, "Invalid login or password.")
 		} else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
 			log.Println(err)
diff --git a/login.go b/login.go
index 63af618..88767c9 100644
--- a/login.go
+++ b/login.go
@@ -88,6 +88,8 @@ func login(login string, password string) ([]*ldap.EntryAttribute, error) {
 	if err != nil {
 		dn, err = conn.SearchDN(login, false)
 		if err != nil {
+			// User not found: perform a dummy bind to prevent username enumeration via timing.
+			conn.Bind("cn=dummy,"+myLDAP.BaseDN, password)
 			return nil, err
 		}
 	}