Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-26 Thread Merciadri Luca 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rob Owens  writes:

> On Mon, Jun 21, 2010 at 05:07:33PM -0500, Ron Johnson wrote:
>> On 06/21/2010 04:47 PM, Celejar wrote:
>>> On Mon, 21 Jun 2010 23:35:37 +0200
>>> Merciadri Luca  wrote:
>>>
 Hi,

 I use GNOME.

 I have noticed that if I type some erroneous password to leave the
 screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
 erroneous. If I type the correct password, I am directly sent in my
 session. Why does it take so much time to tell me that a password is
 erroneous? I can even know if I made a typo by looking at how much time
 it takes!
>>>
>>> Same thing with xscreensaver.  I think that a lot of software that asks
>>> for a password behaves like this, perhaps to prevent brute-forcing?
>>> I'm not sure if brute-forcing is possible on a GUI, though.
>>>
>>
>> Since I notice the same issue when logging in from the console, could it 
>> be a problem with libpam?
>>
> /etc/pam.d/login contains this on my system:
>
> # Enforce a minimal delay in case of failure (in microseconds).
> # (Replaces the `FAIL_DELAY' setting from login.defs)
> # Note that other modules may require another minimal delay. (for
> # example,
> # to disable any delay, you should add the nodelay option to pam_unix)
> auth   optional   pam_faildelay.so  delay=300
Thanks for mentioning this.

- -- 
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
- -- 

The whole dignity of man lies in the power of thought. 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 

iEYEARECAAYFAkwmOuEACgkQM0LLzLt8MhwS7QCeMbeR0SW3LzNczvEw5Pltjz+I
5IwAoIjQrWQHw9j4whMUgVjzwnOmXh3g
=X2nu
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/87vd95elum@merciadriluca-station.merciadriluca

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-23 Thread Rob Owens 
On Mon, Jun 21, 2010 at 05:07:33PM -0500, Ron Johnson wrote:
> On 06/21/2010 04:47 PM, Celejar wrote:
>> On Mon, 21 Jun 2010 23:35:37 +0200
>> Merciadri Luca  wrote:
>>
>>> Hi,
>>>
>>> I use GNOME.
>>>
>>> I have noticed that if I type some erroneous password to leave the
>>> screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
>>> erroneous. If I type the correct password, I am directly sent in my
>>> session. Why does it take so much time to tell me that a password is
>>> erroneous? I can even know if I made a typo by looking at how much time
>>> it takes!
>>
>> Same thing with xscreensaver.  I think that a lot of software that asks
>> for a password behaves like this, perhaps to prevent brute-forcing?
>> I'm not sure if brute-forcing is possible on a GUI, though.
>>
>
> Since I notice the same issue when logging in from the console, could it 
> be a problem with libpam?
>
/etc/pam.d/login contains this on my system:

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for
# example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth   optional   pam_faildelay.so  delay=300

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100623213257.ga13...@aurora.owens.net

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-22 Thread Merciadri Luca 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

"Karl E. Jorgensen"  writes:

> Hi!
>
> On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote:
>> On Mon, 21 Jun 2010 23:35:37 +0200
>> Merciadri Luca  wrote:
>> 
>> > I use GNOME.
>> > 
>> > I have noticed that if I type some erroneous password to leave the
>> > screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
>> > erroneous. If I type the correct password, I am directly sent in my
>> > session. Why does it take so much time to tell me that a password is
>> > erroneous? I can even know if I made a typo by looking at how much time
>> > it takes!
>
> I believe that artificially introducing a delay when wrong credentials are
> presented is standard operating procedure for most things where a password 
> must
> be entered.  As far as I know, there are several rationales behind this:
>
> - To frustrate anybody trying to guess passwords. Being allowed to try many
>   combinations in a short time helps make things difficult for attackers, and
>   does not help legitimate users.
>
> - To avoid "leaking" information: If entering a "nearly-correct" password
>   responds faster than when entering an "obviously-wrong" password, an 
> attacker
>   can use this to improve the guesses - sort of triangulating.  If it always
>   takes the same amount of time before the "wrong username/password" reply
>   comes, this information is not available to a prospective attacker.
>
>   I presume that some implementations add a random delay to obfuscate things
>   further.
>
> All in all, this makes things more difficult for attackers, whilst only being 
> a
> minor inconvenience for the "good guys": a good trade-off.
>
>> Same thing with xscreensaver.  I think that a lot of software that asks
>> for a password behaves like this, perhaps to prevent brute-forcing?
>> I'm not sure if brute-forcing is possible on a GUI, though.
>
> I suspect this is simply a problem of aquiring the right tools for the job:
>
> - X events can be generated by software (e.g. the xmacro package).  This is
>   evident if you use VNC to control a remote machine:  the screen saver is
>   none-the-wiser to the fact that you are remote.
>
> - USB keyboards can probably be simulated by other devices. I would not be
>   surprised to find linux tools that allow a PC to act as a USB device, rather
>   than USB "master".  From here on, it is just software again.
>
> and probably lots of other ways...
Thanks (to others too).
- -- 
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
- -- 

Remember. If something can go wrong, it will. 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 

iEYEARECAAYFAkwgWNgACgkQM0LLzLt8MhzcMgCdHASZt+7SWGzcPYlaW+5kijMY
EDgAnRjr8APT5krnDH1WNXxmKEEqgfrT
=8OCG
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/878w677f3b@merciadriluca-station.merciadriluca

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-21 Thread Celejar 
On Mon, 21 Jun 2010 23:11:50 +0100
"Karl E. Jorgensen"  wrote:

> Hi!
> 
> On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote:

...

> > Same thing with xscreensaver.  I think that a lot of software that asks
> > for a password behaves like this, perhaps to prevent brute-forcing?
> > I'm not sure if brute-forcing is possible on a GUI, though.
> 
> I suspect this is simply a problem of aquiring the right tools for the job:
> 
> - X events can be generated by software (e.g. the xmacro package).  This is
>   evident if you use VNC to control a remote machine:  the screen saver is
>   none-the-wiser to the fact that you are remote.
> 
> - USB keyboards can probably be simulated by other devices. I would not be
>   surprised to find linux tools that allow a PC to act as a USB device, rather
>   than USB "master".  From here on, it is just software again.
> 
> and probably lots of other ways...

Good points; I should have realized this.

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100621194402.bf3f1c1d.cele...@gmail.com

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-21 Thread Karl E. Jorgensen 
Hi!

On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote:
> On Mon, 21 Jun 2010 23:35:37 +0200
> Merciadri Luca  wrote:
> 
> > I use GNOME.
> > 
> > I have noticed that if I type some erroneous password to leave the
> > screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
> > erroneous. If I type the correct password, I am directly sent in my
> > session. Why does it take so much time to tell me that a password is
> > erroneous? I can even know if I made a typo by looking at how much time
> > it takes!

I believe that artificially introducing a delay when wrong credentials are
presented is standard operating procedure for most things where a password must
be entered.  As far as I know, there are several rationales behind this:

- To frustrate anybody trying to guess passwords. Being allowed to try many
  combinations in a short time helps make things difficult for attackers, and
  does not help legitimate users.

- To avoid "leaking" information: If entering a "nearly-correct" password
  responds faster than when entering an "obviously-wrong" password, an attacker
  can use this to improve the guesses - sort of triangulating.  If it always
  takes the same amount of time before the "wrong username/password" reply
  comes, this information is not available to a prospective attacker.

  I presume that some implementations add a random delay to obfuscate things
  further.

All in all, this makes things more difficult for attackers, whilst only being a
minor inconvenience for the "good guys": a good trade-off.

> Same thing with xscreensaver.  I think that a lot of software that asks
> for a password behaves like this, perhaps to prevent brute-forcing?
> I'm not sure if brute-forcing is possible on a GUI, though.

I suspect this is simply a problem of aquiring the right tools for the job:

- X events can be generated by software (e.g. the xmacro package).  This is
  evident if you use VNC to control a remote machine:  the screen saver is
  none-the-wiser to the fact that you are remote.

- USB keyboards can probably be simulated by other devices. I would not be
  surprised to find linux tools that allow a PC to act as a USB device, rather
  than USB "master".  From here on, it is just software again.

and probably lots of other ways...

-- 
Karl E. Jorgensen
IT Operations Manager


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100621221147.ge19...@hawking.jorgensen.org.uk

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-21 Thread Ron Johnson 

On 06/21/2010 04:47 PM, Celejar wrote:

On Mon, 21 Jun 2010 23:35:37 +0200
Merciadri Luca  wrote:


Hi,

I use GNOME.

I have noticed that if I type some erroneous password to leave the
screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
erroneous. If I type the correct password, I am directly sent in my
session. Why does it take so much time to tell me that a password is
erroneous? I can even know if I made a typo by looking at how much time
it takes!


Same thing with xscreensaver.  I think that a lot of software that asks
for a password behaves like this, perhaps to prevent brute-forcing?
I'm not sure if brute-forcing is possible on a GUI, though.



Since I notice the same issue when logging in from the console, 
could it be a problem with libpam?


--
Seek truth from facts.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4c1fe2a5.9010...@cox.net

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-21 Thread Celejar 
On Mon, 21 Jun 2010 23:35:37 +0200
Merciadri Luca  wrote:

> Hi,
> 
> I use GNOME.
> 
> I have noticed that if I type some erroneous password to leave the
> screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
> erroneous. If I type the correct password, I am directly sent in my
> session. Why does it take so much time to tell me that a password is
> erroneous? I can even know if I made a typo by looking at how much time
> it takes!

Same thing with xscreensaver.  I think that a lot of software that asks
for a password behaves like this, perhaps to prevent brute-forcing?
I'm not sure if brute-forcing is possible on a GUI, though.

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100621174721.6d022ca4.cele...@gmail.com

Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

2010-06-21 Thread Merciadri Luca 
Hi,

I use GNOME.

I have noticed that if I type some erroneous password to leave the
screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
erroneous. If I type the correct password, I am directly sent in my
session. Why does it take so much time to tell me that a password is
erroneous? I can even know if I made a typo by looking at how much time
it takes!

Thanks.

-- 
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
I use PGP. If there is an incompatibility problem with your mail
client, please contact me.


Nothing in life is to be feared; it is only to be understood. (Marie Curie)



signature.asc
Description: OpenPGP digital signature