|
|
|
|
|
|
by okreallywtf
3644 days ago
|
|
|
If this was the case, I would think that a single request where they record the timing between characters clientside and post that timing information along with the password would work better. Timing incoming POST requests as part of a single password reset "session" seems fraught with problems, I can't see how you could really trust the timing numbers you would get. I type my password pretty fast generally and I wouldn't be surprised if the margin of error on that timing is a significant percentage of the average time per key press. Of course you can't trust anything from the client and both methods are subject to tampering, I'm not sure which is more tamper resistant. |
|
|