[145955] in cryptography@c2.net mail archive
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sun Oct 3 09:11:09 2010
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: leichter@lrw.com, outer@sympatico.ca
Cc: cryptography@metzdowd.com
In-Reply-To: <1F18EEA8-3E12-4093-9865-2910C0610C72@lrw.com>
Date: Sun, 03 Oct 2010 14:05:11 +1300
Jerry Leichter <leichter@lrw.com> writes:
>By the way, the "don't acknowledge whether it was the login ID or the
>password that was wrong" example is one of those things "everyone knows" -
>along with "change your password frequently" - that have long passed their
>"use by" date.
You got there before I did - real-world studies of users have shown that a
common failure mode for this is that when users get their user name wrong they
then try every password they can think of under the assumption that they've
remembered the wrong password for the site. So not only does not
distinguishing between incorrect username and incorrect password not help [0],
it actually makes things much, much worse by training users to enter every
password for every site they know.
Peter.
[0] Well, it helps the attackers I guess...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
