[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Bright idea...
- From: Aleph One <aleph1 dfw net>
- To: pam-list redhat com
- Subject: Re: Bright idea...
- Date: Mon, 24 Jun 1996 13:16:51 -0500 (CDT)
On Mon, 24 Jun 1996, Theodore Y. Ts'o wrote:
> In many, if not most, cases this type of timing attack really isn't
> practical. Hence, I'm not convinced that it's really worth the huge
> increase of complexity to protect against this sort of thing. (In
> general the only information that can be leaked is whether the username
> or password is incorrect --- and in many cases there's many other ways
> to determine whether the username is valid on a system, and in even more
> cases users don't care about trying to keep it a secret whether of not a
> username is valid.)
True.
> If you really care about this, though, there's a much simpler way of
> accomplishing it, which is to make the delay module have an option for
> delaying a random amount of time. Just have two control knobs --- the
> average amount of delay, and the standard deviation of the delay. If
> these variables are set appropriately, it will thwart someone who might
> figure out (oh no!!!) whether or not a login was rejected because the
> username or the password is incorrect.
Works for me.
> - Ted
>
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
>
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[]