Sunday, 8 April 2012

Adding a delay to prevent brute force user and password attacks

One of the OWASP projects I really like is AppSensor and I'm trying to find a way to integrate its concepts into TeamMentor.

So to kickstart this process, I just added a small delay to the login check (see this commit for the details)

I was playing around with the timings and I felt that 500ms was a good amount.

1000ms (1s) felt too much of a delay, and was affecting the user experience.

In principle, this simple 500ms should make a difference in an attacker's ability to brute force TM account details (username and password)


Anonymous said...

Using a random delay would help defeat timing attacks.

dinis said...

Actually, I'm not 100% sure if TeamMentor (on its login logic) has the potential of Timinig Attacks, since that 'if statement' is all there that is happening on the server side.

But hey, why don't you fire up an O2 script and prove me wrong :)

In fact I want to build such O2 script (with statistical analysis of login timings) since I want to have a better formula on how to calculate the best delay time (since in the real world, there are network delays to be taken into account)