[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Time Invariant String Comparison
- From: Oliver Kroth <oliver.kroth@...>
- Date: Thu, 16 Jan 2014 14:01:53 +0100
If the response time is measured, a random delay for the response should
fix this.
One may even add a basic delay for each response that is increased with
every wrong attempt from same source,. This makes it more and more less
efficient to hack the credentials.
If the CPU load, memory access, HF radiation por some other side effects
are monitored, a custom compare function may provide enough fog.
Why not use hashed passwords, which is a better idea anyway as this
takes a length independent time, and you may store the credentials in a
safe way?
Am 16.01.2014 13:39, schrieb Paige DePol:
As for the password attack, wouldn't just adding a tiny random delay
to each request negate such a problem? Also, wouldn't this type of
attack only work against servers with very little server load, given
the delay between checking two characters of a string would be
exceedingly tiny? ~pmd~
