Hi! On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote: > On Mon, 21 Jun 2010 23:35:37 +0200 > Merciadri Luca <luca.mercia...@student.ulg.ac.be> wrote: > > > I use GNOME. > > > > I have noticed that if I type some erroneous password to leave the > > screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is > > erroneous. If I type the correct password, I am directly sent in my > > session. Why does it take so much time to tell me that a password is > > erroneous? I can even know if I made a typo by looking at how much time > > it takes!
I believe that artificially introducing a delay when wrong credentials are presented is standard operating procedure for most things where a password must be entered. As far as I know, there are several rationales behind this: - To frustrate anybody trying to guess passwords. Being allowed to try many combinations in a short time helps make things difficult for attackers, and does not help legitimate users. - To avoid "leaking" information: If entering a "nearly-correct" password responds faster than when entering an "obviously-wrong" password, an attacker can use this to improve the guesses - sort of triangulating. If it always takes the same amount of time before the "wrong username/password" reply comes, this information is not available to a prospective attacker. I presume that some implementations add a random delay to obfuscate things further. All in all, this makes things more difficult for attackers, whilst only being a minor inconvenience for the "good guys": a good trade-off. > Same thing with xscreensaver. I think that a lot of software that asks > for a password behaves like this, perhaps to prevent brute-forcing? > I'm not sure if brute-forcing is possible on a GUI, though. I suspect this is simply a problem of aquiring the right tools for the job: - X events can be generated by software (e.g. the xmacro package). This is evident if you use VNC to control a remote machine: the screen saver is none-the-wiser to the fact that you are remote. - USB keyboards can probably be simulated by other devices. I would not be surprised to find linux tools that allow a PC to act as a USB device, rather than USB "master". From here on, it is just software again. and probably lots of other ways... -- Karl E. Jorgensen IT Operations Manager -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100621221147.ge19...@hawking.jorgensen.org.uk