[WEB SECURITY] quick question on password reset 'best practices'

bugtraq at cgisecurity.net bugtraq at cgisecurity.net
Tue Jun 3 17:25:51 EDT 2008

> > This is a great point Jeremiah - I almost always err on the side of
> > caution and consider any roadblock I can throw in the way of an  
> > attacker
> > a good thing, but in a high volume site I can definitely see a good  
> > case
> > for a less generic response. I wonder if it would be recommended to
> > Sleep() the login process an arbitrary 10 seconds whether it was valid
> > or rejected to take away the timing vector?
> I think it was Robert Auger who recently brought up the question of  
> how to defend against timing attacks on web-based applications and  
> asked how to defend against them. The responses were few and I think  
> indicative of general lack of good ideas on what to do about them. I  
> don't know of any best practices in the webappsec space.

You CAN normalize the response times however this would involve slowing down
legit transactions. You'll also in all likelyhood have to throw more hardware
at this solution in order to handle more concurrent transactions in massive 

I had sent a post to the list back in may on this topic

Additional Reading:

One things for sure we've barely scratched the surface of timing attacks. I give it
a year or two before it is 'the next big shiny thing' in the appsec industry :) 

- Robert

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list