[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Time Invariant String Comparison
- From: Philipp Janda <siffiejoe@...>
- Date: Thu, 16 Jan 2014 16:11:25 +0100
Am 16.01.2014 14:01 schröbte Oliver Kroth:
If the response time is measured, a random delay for the response should
fix this.
A small random delay won't help much: You can test the same password
multiple times, calculate the mean response time, and subtract the
expected delay ...
One may even add a basic delay for each response that is increased with
every wrong attempt from same source,. This makes it more and more less
efficient to hack the credentials.
This is a good idea anyways but not as easy to do if you have a
multi-process server (you would need some form of shared memory to store
state between requests).
If the CPU load, memory access, HF radiation por some other side effects
are monitored, a custom compare function may provide enough fog.
I think Thjis' suggestion could work, but I would make sure that all
one-character strings are in the string pool at the time of the
comparison or else you could measure the time difference between
creating one or two one-character strings.
Why not use hashed passwords, which is a better idea anyway as this
takes a length independent time, and you may store the credentials in a
safe way?
That would also be my favorite option. And always use salted password
hashes!
Philipp
