[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Karl E. Jorgensen" <karl@fizzback.net> writes:

> Hi!
>
> On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote:
>> On Mon, 21 Jun 2010 23:35:37 +0200
>> Merciadri Luca <Luca.Merciadri@student.ulg.ac.be> wrote:
>> 
>> > I use GNOME.
>> > 
>> > I have noticed that if I type some erroneous password to leave the
>> > screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
>> > erroneous. If I type the correct password, I am directly sent in my
>> > session. Why does it take so much time to tell me that a password is
>> > erroneous? I can even know if I made a typo by looking at how much time
>> > it takes!
>
> I believe that artificially introducing a delay when wrong credentials are
> presented is standard operating procedure for most things where a password must
> be entered.  As far as I know, there are several rationales behind this:
>
> - To frustrate anybody trying to guess passwords. Being allowed to try many
>   combinations in a short time helps make things difficult for attackers, and
>   does not help legitimate users.
>
> - To avoid "leaking" information: If entering a "nearly-correct" password
>   responds faster than when entering an "obviously-wrong" password, an attacker
>   can use this to improve the guesses - sort of triangulating.  If it always
>   takes the same amount of time before the "wrong username/password" reply
>   comes, this information is not available to a prospective attacker.
>
>   I presume that some implementations add a random delay to obfuscate things
>   further.
>
> All in all, this makes things more difficult for attackers, whilst only being a
> minor inconvenience for the "good guys": a good trade-off.
>
>> Same thing with xscreensaver.  I think that a lot of software that asks
>> for a password behaves like this, perhaps to prevent brute-forcing?
>> I'm not sure if brute-forcing is possible on a GUI, though.
>
> I suspect this is simply a problem of aquiring the right tools for the job:
>
> - X events can be generated by software (e.g. the xmacro package).  This is
>   evident if you use VNC to control a remote machine:  the screen saver is
>   none-the-wiser to the fact that you are remote.
>
> - USB keyboards can probably be simulated by other devices. I would not be
>   surprised to find linux tools that allow a PC to act as a USB device, rather
>   than USB "master".  From here on, it is just software again.
>
> and probably lots of other ways...
Thanks (to others too).
- -- 
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
- -- 

Remember. If something can go wrong, it will. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iEYEARECAAYFAkwgWNgACgkQM0LLzLt8MhzcMgCdHASZt+7SWGzcPYlaW+5kijMY
EDgAnRjr8APT5krnDH1WNXxmKEEqgfrT
=8OCG
-----END PGP SIGNATURE-----
Reply to: