|
|
|
|
|
|
by thisGuysAccount
4211 days ago
|
|
|
I might be missing what you're not following, but here's a quick explanation (and a reason why it's not a concern) Correct username, correct password: takes 30ms to execute the code Correct username, incorrect password: takes 15 ms to execute the code Incorrect username: Takes 7 ms to execute the code. You fuzz usernames, you get one that takes 15 ms, you know that's a valid username. You then start working the password. Not necessary on most systems, because we're working at speeds that are measured in nanoseconds, and since we're using networks for many attacks, the delays are unpredictable and measured in (at least) milliseconds. |
|
|
If anything the timing attacks weaken the argument against hiding usernames.