-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Karl E. Jorgensen" <k...@fizzback.net> writes:
> Hi! > > On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote: >> On Mon, 21 Jun 2010 23:35:37 +0200 >> Merciadri Luca <luca.mercia...@student.ulg.ac.be> wrote: >> >> > I use GNOME. >> > >> > I have noticed that if I type some erroneous password to leave the >> > screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is >> > erroneous. If I type the correct password, I am directly sent in my >> > session. Why does it take so much time to tell me that a password is >> > erroneous? I can even know if I made a typo by looking at how much time >> > it takes! > > I believe that artificially introducing a delay when wrong credentials are > presented is standard operating procedure for most things where a password > must > be entered. As far as I know, there are several rationales behind this: > > - To frustrate anybody trying to guess passwords. Being allowed to try many > combinations in a short time helps make things difficult for attackers, and > does not help legitimate users. > > - To avoid "leaking" information: If entering a "nearly-correct" password > responds faster than when entering an "obviously-wrong" password, an > attacker > can use this to improve the guesses - sort of triangulating. If it always > takes the same amount of time before the "wrong username/password" reply > comes, this information is not available to a prospective attacker. > > I presume that some implementations add a random delay to obfuscate things > further. > > All in all, this makes things more difficult for attackers, whilst only being > a > minor inconvenience for the "good guys": a good trade-off. > >> Same thing with xscreensaver. I think that a lot of software that asks >> for a password behaves like this, perhaps to prevent brute-forcing? >> I'm not sure if brute-forcing is possible on a GUI, though. > > I suspect this is simply a problem of aquiring the right tools for the job: > > - X events can be generated by software (e.g. the xmacro package). This is > evident if you use VNC to control a remote machine: the screen saver is > none-the-wiser to the fact that you are remote. > > - USB keyboards can probably be simulated by other devices. I would not be > surprised to find linux tools that allow a PC to act as a USB device, rather > than USB "master". From here on, it is just software again. > > and probably lots of other ways... Thanks (to others too). - -- Merciadri Luca See http://www.student.montefiore.ulg.ac.be/~merciadri/ - -- Remember. If something can go wrong, it will. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/> iEYEARECAAYFAkwgWNgACgkQM0LLzLt8MhzcMgCdHASZt+7SWGzcPYlaW+5kijMY EDgAnRjr8APT5krnDH1WNXxmKEEqgfrT =8OCG -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878w677f3b....@merciadriluca-station.merciadriluca
