0

What would be wrong with the username/password checker where the response is instantaneous for valid attempts but a pre-built time delay (say 1 sec) is used for unsuccessful ones? It would not slow down legitimate users, but would obviate the need for key derivation functions, and thwart the timing attacks. Can someone critique please?

schroeder
  • 123,438
  • 55
  • 284
  • 319
postoronnim
  • 375
  • 3
  • 10
  • Using a timing attack I could most likely enumerate your username(s) in case they're email addresses. If you have a password reset mechanism with the same "feature", I could enumerate your usernames for sure! – Jeroen Aug 13 '19 at 17:09
  • https://security.stackexchange.com/questions/94432/should-i-implement-incorrect-password-delay-in-a-website-or-a-webservice and https://security.stackexchange.com/questions/85435/silently-limiting-login-attempts and https://security.stackexchange.com/questions/958/how-to-protect-against-brute-forcing – schroeder Aug 13 '19 at 17:15

0 Answers0