Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Owens row...@ptd.net writes: On Mon, Jun 21, 2010 at 05:07:33PM -0500, Ron Johnson wrote: On 06/21/2010 04:47 PM, Celejar wrote: On Mon, 21 Jun 2010 23:35:37 +0200 Merciadri Lucaluca.mercia...@student.ulg.ac.be wrote: Hi, I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. Since I notice the same issue when logging in from the console, could it be a problem with libpam? /etc/pam.d/login contains this on my system: # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for # example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=300 Thanks for mentioning this. - -- Merciadri Luca See http://www.student.montefiore.ulg.ac.be/~merciadri/ - -- The whole dignity of man lies in the power of thought. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAkwmOuEACgkQM0LLzLt8MhwS7QCeMbeR0SW3LzNczvEw5Pltjz+I 5IwAoIjQrWQHw9j4whMUgVjzwnOmXh3g =X2nu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vd95elum@merciadriluca-station.merciadriluca
Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
On Mon, Jun 21, 2010 at 05:07:33PM -0500, Ron Johnson wrote: On 06/21/2010 04:47 PM, Celejar wrote: On Mon, 21 Jun 2010 23:35:37 +0200 Merciadri Lucaluca.mercia...@student.ulg.ac.be wrote: Hi, I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. Since I notice the same issue when logging in from the console, could it be a problem with libpam? /etc/pam.d/login contains this on my system: # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for # example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=300 -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100623213257.ga13...@aurora.owens.net
Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Karl E. Jorgensen k...@fizzback.net writes: Hi! On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote: On Mon, 21 Jun 2010 23:35:37 +0200 Merciadri Luca luca.mercia...@student.ulg.ac.be wrote: I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! I believe that artificially introducing a delay when wrong credentials are presented is standard operating procedure for most things where a password must be entered. As far as I know, there are several rationales behind this: - To frustrate anybody trying to guess passwords. Being allowed to try many combinations in a short time helps make things difficult for attackers, and does not help legitimate users. - To avoid leaking information: If entering a nearly-correct password responds faster than when entering an obviously-wrong password, an attacker can use this to improve the guesses - sort of triangulating. If it always takes the same amount of time before the wrong username/password reply comes, this information is not available to a prospective attacker. I presume that some implementations add a random delay to obfuscate things further. All in all, this makes things more difficult for attackers, whilst only being a minor inconvenience for the good guys: a good trade-off. Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. I suspect this is simply a problem of aquiring the right tools for the job: - X events can be generated by software (e.g. the xmacro package). This is evident if you use VNC to control a remote machine: the screen saver is none-the-wiser to the fact that you are remote. - USB keyboards can probably be simulated by other devices. I would not be surprised to find linux tools that allow a PC to act as a USB device, rather than USB master. From here on, it is just software again. and probably lots of other ways... Thanks (to others too). - -- Merciadri Luca See http://www.student.montefiore.ulg.ac.be/~merciadri/ - -- Remember. If something can go wrong, it will. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAkwgWNgACgkQM0LLzLt8MhzcMgCdHASZt+7SWGzcPYlaW+5kijMY EDgAnRjr8APT5krnDH1WNXxmKEEqgfrT =8OCG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878w677f3b@merciadriluca-station.merciadriluca
Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
Hi, I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! Thanks. -- Merciadri Luca See http://www.student.montefiore.ulg.ac.be/~merciadri/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. Nothing in life is to be feared; it is only to be understood. (Marie Curie) signature.asc Description: OpenPGP digital signature
Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
On Mon, 21 Jun 2010 23:35:37 +0200 Merciadri Luca luca.mercia...@student.ulg.ac.be wrote: Hi, I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100621174721.6d022ca4.cele...@gmail.com
Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
On 06/21/2010 04:47 PM, Celejar wrote: On Mon, 21 Jun 2010 23:35:37 +0200 Merciadri Lucaluca.mercia...@student.ulg.ac.be wrote: Hi, I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. Since I notice the same issue when logging in from the console, could it be a problem with libpam? -- Seek truth from facts. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c1fe2a5.9010...@cox.net
Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
Hi! On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote: On Mon, 21 Jun 2010 23:35:37 +0200 Merciadri Luca luca.mercia...@student.ulg.ac.be wrote: I use GNOME. I have noticed that if I type some erroneous password to leave the screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is erroneous. If I type the correct password, I am directly sent in my session. Why does it take so much time to tell me that a password is erroneous? I can even know if I made a typo by looking at how much time it takes! I believe that artificially introducing a delay when wrong credentials are presented is standard operating procedure for most things where a password must be entered. As far as I know, there are several rationales behind this: - To frustrate anybody trying to guess passwords. Being allowed to try many combinations in a short time helps make things difficult for attackers, and does not help legitimate users. - To avoid leaking information: If entering a nearly-correct password responds faster than when entering an obviously-wrong password, an attacker can use this to improve the guesses - sort of triangulating. If it always takes the same amount of time before the wrong username/password reply comes, this information is not available to a prospective attacker. I presume that some implementations add a random delay to obfuscate things further. All in all, this makes things more difficult for attackers, whilst only being a minor inconvenience for the good guys: a good trade-off. Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. I suspect this is simply a problem of aquiring the right tools for the job: - X events can be generated by software (e.g. the xmacro package). This is evident if you use VNC to control a remote machine: the screen saver is none-the-wiser to the fact that you are remote. - USB keyboards can probably be simulated by other devices. I would not be surprised to find linux tools that allow a PC to act as a USB device, rather than USB master. From here on, it is just software again. and probably lots of other ways... -- Karl E. Jorgensen IT Operations Manager -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100621221147.ge19...@hawking.jorgensen.org.uk
Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
On Mon, 21 Jun 2010 23:11:50 +0100 Karl E. Jorgensen k...@fizzback.net wrote: Hi! On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote: ... Same thing with xscreensaver. I think that a lot of software that asks for a password behaves like this, perhaps to prevent brute-forcing? I'm not sure if brute-forcing is possible on a GUI, though. I suspect this is simply a problem of aquiring the right tools for the job: - X events can be generated by software (e.g. the xmacro package). This is evident if you use VNC to control a remote machine: the screen saver is none-the-wiser to the fact that you are remote. - USB keyboards can probably be simulated by other devices. I would not be surprised to find linux tools that allow a PC to act as a USB device, rather than USB master. From here on, it is just software again. and probably lots of other ways... Good points; I should have realized this. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100621194402.bf3f1c1d.cele...@gmail.com