lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Am 16.01.2014 14:01 schröbte Oliver Kroth:
If the response time is measured, a random delay for the response should
fix this.

A small random delay won't help much: You can test the same password multiple times, calculate the mean response time, and subtract the expected delay ...

One may even add a basic delay for each response that is increased with
every wrong attempt from same source,. This makes it more and more less
efficient to hack the credentials.

This is a good idea anyways but not as easy to do if you have a multi-process server (you would need some form of shared memory to store state between requests).


If the CPU load, memory access, HF radiation por some other side effects
are monitored, a custom compare function may provide enough fog.

I think Thjis' suggestion could work, but I would make sure that all one-character strings are in the string pool at the time of the comparison or else you could measure the time difference between creating one or two one-character strings.


Why not use hashed passwords, which is a better idea anyway as this
takes a length independent time, and you may store the credentials in a
safe way?

That would also be my favorite option. And always use salted password hashes!

Philipp