Wrong passwords take longer to verify

cool_penguin_smallDid you ever notice that when you enter a wrong login password to your system, it takes longer to verify? Doesn’t it seem an anomaly because verifying a correct password would mean all the characters match while in case of a wrong password only in the worst case the last character entered would fail to match, other attempts should fail earlier?

If we go by the time taken to match one character, it would indeed seem that a wrong password should take less time to check in most cases. However, it doesn’t happen in case of modern operating systems. The reason is security.

The timeout is artificial and the algorithm works so that irrespective of the time taken by the system to figure out that the password is wrong, it would take a constant time to show the feedback to the user, adding a calculated amount of delay. Why?

  • This technique makes brute force attacks slower.
  • If the wrong password takes exactly same amount of time to verify each time, it is impossible to draw any conclusion on why the password was rejected. If a simple hypothetical password checker checks the characters one by one and returns as soon as there is a failure, an attacker could calculate by entering passwords of varying length and measuring the response times how long it takes to fail at the nth character. This is the principle on which Timing Attacks work.

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s