[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: login sleeps too long on incorrect logins...
But I think at what he was hinting at, was the difference in delays... if it
delays longer, you know the username is invalid, which actually _helps_
brute forcing.
----- Original Message -----
From: "Daniel Grunblatt" <daniel@grunblatt.com.ar>
To: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>
Cc: <tech@openbsd.org>
Sent: Monday, June 04, 2001 9:13 AM
Subject: Re: login sleeps too long on incorrect logins...
> I think that it's fine like now just to delay any try to remote brute
> force username guesses.
>
> d.-
>
> On Mon, 4 Jun 2001, Denis A. Doroshenko wrote:
>
> > hello, not once i noticed, that login sleeps too long on incorrect
> > logins (bad username). it is noticeably longer than failure for account
> > when bad password is supplied. as i see from src/usr.bin/login/login.c
> > it is simple sleep with random time (1..3 secs). wouldn't it better to
> > try encrypt some random string with crypt(3) to get delay emulating the
> > pause? just because on my 486 this pause is ok, but on my celeron 300 i
> > can clearly distinct between non-existing user and bad-password
> > incorrect logins...
> >
> > --
> > Denis A. Doroshenko [GPRS/IN/WAP, VAS group engineer] .-. _|_ |
> > [Omnitel Ltd., T.Sevcenkos st. 25, Vilnius, Lithuania] | | _ _ _ .| _ |
> > [Phone: +370 9863486 E-mail: d.doroshenko@omnitel.net] |_|| | ||
|||(/_|_