#20760: Account enumeration through timing attack in password verification in
django.contrib.auth
-------------------------------------+-------------------------------------
Reporter: jpaglier@… | Owner: anonymous
Type: Bug | Status: assigned
Component: contrib.auth | Version: 1.5
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
authentication timing enumeration | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 1
Needs tests: 1 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by PaulM):
To address some things mentioned earlier:
Adding a random delay to the return is absolutely not an acceptable
solution, for both the reason that it introduces unnecessary latency, and
the fact that it does not, in fact, solve the problem in any meaningful
fashion. An attacker can always take more samples.
If you actually want to test for a timing difference, you'll want to
retain all of the processing times for both samples and use the
Kolmogorov-Smirnov test to figure out if they're different. You can't use
Student's t-test because the samples are not normally distributed. There's
more information on this in my presentation from Djangocon 2011.
The latest patch and test look reasonable to me.
--
Ticket URL: <https://code.djangoproject.com/ticket/20760#comment:16>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/074.bee622b5b1577abc2b916b77a2e3e375%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
