Did you ever notice that when you enter a wrong login password to your system, it takes longer to verify? Doesn’t it seem an anomaly because verifying a correct password would mean all the characters match while in case of a wrong password only in the worst case the last character entered would fail to match, other attempts should fail earlier?
If we go by the time taken to match one character, it would indeed seem that a wrong password should take less time to check in most cases. However, it doesn’t happen in case of modern operating systems. The reason is security.
The timeout is artificial and the algorithm works so that irrespective of the time taken by the system to figure out that the password is wrong, it would take a constant time to show the feedback to the user, adding a calculated amount of delay. Why?
- This technique makes brute force attacks slower.
- If the wrong password takes exactly same amount of time to verify each time, it is impossible to draw any conclusion on why the password was rejected. If a simple hypothetical password checker checks the characters one by one and returns as soon as there is a failure, an attacker could calculate by entering passwords of varying length and measuring the response times how long it takes to fail at the nth character. This is the principle on which Timing Attacks work.