Re: Why does GNOME take so much time to tell that a screensaver-introduced password is erroneous?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"Karl E. Jorgensen" <karl@fizzback.net> writes:
> Hi!
>
> On Mon, Jun 21, 2010 at 05:47:21PM -0400, Celejar wrote:
>> On Mon, 21 Jun 2010 23:35:37 +0200
>> Merciadri Luca <Luca.Merciadri@student.ulg.ac.be> wrote:
>>
>> > I use GNOME.
>> >
>> > I have noticed that if I type some erroneous password to leave the
>> > screensaver mode, GNOME takes ~3 or 4 secs. to tell me that it is
>> > erroneous. If I type the correct password, I am directly sent in my
>> > session. Why does it take so much time to tell me that a password is
>> > erroneous? I can even know if I made a typo by looking at how much time
>> > it takes!
>
> I believe that artificially introducing a delay when wrong credentials are
> presented is standard operating procedure for most things where a password must
> be entered. As far as I know, there are several rationales behind this:
>
> - To frustrate anybody trying to guess passwords. Being allowed to try many
> combinations in a short time helps make things difficult for attackers, and
> does not help legitimate users.
>
> - To avoid "leaking" information: If entering a "nearly-correct" password
> responds faster than when entering an "obviously-wrong" password, an attacker
> can use this to improve the guesses - sort of triangulating. If it always
> takes the same amount of time before the "wrong username/password" reply
> comes, this information is not available to a prospective attacker.
>
> I presume that some implementations add a random delay to obfuscate things
> further.
>
> All in all, this makes things more difficult for attackers, whilst only being a
> minor inconvenience for the "good guys": a good trade-off.
>
>> Same thing with xscreensaver. I think that a lot of software that asks
>> for a password behaves like this, perhaps to prevent brute-forcing?
>> I'm not sure if brute-forcing is possible on a GUI, though.
>
> I suspect this is simply a problem of aquiring the right tools for the job:
>
> - X events can be generated by software (e.g. the xmacro package). This is
> evident if you use VNC to control a remote machine: the screen saver is
> none-the-wiser to the fact that you are remote.
>
> - USB keyboards can probably be simulated by other devices. I would not be
> surprised to find linux tools that allow a PC to act as a USB device, rather
> than USB "master". From here on, it is just software again.
>
> and probably lots of other ways...
Thanks (to others too).
- --
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
- --
Remember. If something can go wrong, it will.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iEYEARECAAYFAkwgWNgACgkQM0LLzLt8MhzcMgCdHASZt+7SWGzcPYlaW+5kijMY
EDgAnRjr8APT5krnDH1WNXxmKEEqgfrT
=8OCG
-----END PGP SIGNATURE-----
Reply to: