[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Time Invariant String Comparison
- From: David Given <dg@...>
- Date: Sat, 25 Jan 2014 11:48:29 +0000
On 25/01/14 11:06, Rob Kendrick wrote:
> On Fri, Jan 24, 2014 at 10:12:02PM -0800, William Ahern wrote:
[...]
>> Who in their right mind would allow their website authentication system to
>> spend 5 seconds (an eternity!) hogging a CPU? Especially when you could
>> instead mandate passwords just three or four characters longer for the same
>> benefit and without crippling your throughput?
>
> Because verifying with a correct password is much faster than verifying
> with an incorrect one. Plus, that 5 seconds is tunable. Want it to be
> only a milisecond? Fine. You can do that, and make sure it's always a
> milisecond, regardless of how fast computers get.
Woah, woah, you're talking about two different things.
William's talking about it taking 5 CPU-seconds verifying passwords.
This is very bad because it makes the web server trivially DOSable (a
couple of thousand simultaneous access attempts will cause the server to
implode).
You're talking about a forced delay as punishment for submitting an
incorrect password. This is very good because it consumes no resources
(done right) and makes the server much harder to DoS. That's a totally
different thing.
--
┌─── dg@cowlark.com ───── http://www.cowlark.com ─────
│ "There does not now, nor will there ever, exist a programming
│ language in which it is the least bit hard to write bad programs." ---
│ Flon's Axiom
Attachment:
signature.asc
Description: OpenPGP digital signature
- References:
- Re: Time Invariant String Comparison, Pierre Chapuis
- Re: Time Invariant String Comparison, William Ahern
- Re: Time Invariant String Comparison, Andres Perera
- Re: Time Invariant String Comparison, William Ahern
- Re: Time Invariant String Comparison, Andres Perera
- Re: Time Invariant String Comparison, William Ahern
- Re: Time Invariant String Comparison, Andres Perera
- Re: Time Invariant String Comparison, William Ahern
- Re: Time Invariant String Comparison, Andres Perera
- Re: Time Invariant String Comparison, William Ahern
- Re: Time Invariant String Comparison, Rob Kendrick