What would be wrong with the username/password checker where the response is instantaneous for valid attempts but a pre-built time delay (say 1 sec) is used for unsuccessful ones? It would not slow down legitimate users, but would obviate the need for key derivation functions, and thwart the timing attacks. Can someone critique please?
Asked
Active
Viewed 23 times
0
-
Using a timing attack I could most likely enumerate your username(s) in case they're email addresses. If you have a password reset mechanism with the same "feature", I could enumerate your usernames for sure! – Jeroen Aug 13 '19 at 17:09
-
https://security.stackexchange.com/questions/94432/should-i-implement-incorrect-password-delay-in-a-website-or-a-webservice and https://security.stackexchange.com/questions/85435/silently-limiting-login-attempts and https://security.stackexchange.com/questions/958/how-to-protect-against-brute-forcing – schroeder Aug 13 '19 at 17:15