Monthly Archives: December 2016

Password validation takes a while, how cool is that!!


You log in to your favorite web app and it takes a little while to get your login validated, or your password consumed, depending on your take on things,
or
You log in to your favorite APEX application, and after every 3rd shot, it takes a bit longer to retry

You are sure what you are doing and you are surely not drunk, but just mistyped the ****-password.

It is annoying, but is it?

I was at DOAG2016 and one of the closing keynotes was by the amazing Thobias Schrödel. He had an amazing show – as you need to call it – on IT Security and he also did some life hacking examples. Amazing to see how quickly an account can be hacked!

One of the examples shown there was how to quickly “break” a password by just letting a password hacking tool run randomly (brute-force attack).
And, of course, there are many ways to make your secure your environment with a lot of different opinions, for example;

  • Change your password regularly
  • Make it 16 characters, using at least two capitals letter, 4 numbers, two extended characters, at least 4 lower case characters, and so on
  • Salt it
  • Single Sign-on
  • Pepper it
  • Hash it
  • and so on and so forth

And I am relatively convinced some of these countermeasures actually add to security in a real-world scenario. You know, the kind of place where users en up having to create an elaborate booklet of those traditional yellow post-its with password, just to be able to do their daily job.

What is the point?

Well, actually, in the battle against complexity, just waiting a couple of seconds before your get your next try to enter your password already adds a whole bunch of security.
Your brute-force tool can generate and enter a gazillion different password in matter of minutes, but if each next attempt makes it had to wait 3 seconds, or even 2 for that matter, will slow it down in a way that it makes no sense at all anymore to even try.

It’ just a thought, hope it helps.