Researchers: Password crack could affect millions

Researchers: Password crack could affect millions
Researchers: Password crack could affect millions 

By Robert McMillan
IDG News Service
July 15, 2010 

A well-known cryptographic attack could be used by hackers to log into 
Web applications used by millions of users, according to two security 
experts who plan to discuss the issue at an upcoming security 

Researchers Nate Lawson and Taylor Nelson say they've discovered a basic 
security flaw that affects dozens of open-source software libraries -- 
including those used by software that implements the OAuth and OpenID 
standards -- that are used to check passwords and user names when people 
log into websites. OAuth and OpenID authentication are accepted by 
popular Web sites such as Twitter and Digg.

They found that some versions of these login systems are vulnerable to 
what's known as a timing attack. Cryptographers have known about timing 
attacks for 25 years, but they are generally thought to be very hard to 
pull off over a network. The researchers aim to show that's not the 

The attacks are thought to be so difficult because they require very 
precise measurements. They crack passwords by measuring the time it 
takes for a computer to respond to a login request. On some login 
systems, the computer will check password characters one at a time, and 
kick back a "login failed" message as soon as it spots a bad character 
in the password. This means a computer returns a completely bad login 
attempt a tiny bit faster than a login where the first character in the 
password is correct.


Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit 

Site design & layout copyright © 1986-2015 CodeGods