[45159] in Cypherpunks
Timing attacks
daemon@ATHENA.MIT.EDU (SINCLAIR DOUGLAS N)
Mon Dec 11 12:35:56 1995
From: SINCLAIR DOUGLAS N <sinclai@ecf.toronto.edu>
To: cypherpunks@toad.com
Date: Mon, 11 Dec 1995 11:10:42 -0500
I have had some success using timing against UNIX to find out what usernames
are valid on systems with finger &c disabled. If a username does not exist,
it returns the "Login incorrect" a lot faster than it would if the username
existed but the password was incorrect. I wonder how many other systems are
vulnerable to this sort of attack.
