Timing attacks

SINCLAIR DOUGLAS N sinclai at ecf.toronto.edu
Mon Dec 11 12:42:24 PST 1995

I have had some success using timing against UNIX to find out what usernames
are valid on systems with finger &c disabled.  If a username does not exist,
it returns the "Login incorrect" a lot faster than it would if the username
existed but the password was incorrect.  I wonder how many other systems are
vulnerable to this sort of attack.

More information about the cypherpunks-legacy mailing list