Home    All Articles    About    carlos@bueno.org    RSS

Lauren Ipsum and the Timing Attack

Lauren Ipsum is trying to get past Jane Hecate, a little old lady who holds the Book of Passwords. Jane is older and can't see well, so she has to spell out Lauren's guess letter by letter to check whether it's the right password. How can Lauren use this to her advantage?
A story about computer science
and other improbable things.

Below is a little game that lets you try to beat Jane yourself. The secret password is picked at random from a list of 10,000 dictionary words, and the box will show you valid words to make it a bit easier. No peeking at the source code. :)

(I'll give you a hint. Try .)

Can you guess the password?

Spoilers below...

What you are doing is a timing attack. If checking a completely wrong password takes less time than a mostly-wrong password, you can use that information to guess the password, one letter at a time.

The attacker's strategy is pretty much the same as the one used in the children's game hangman. It's stuff like this that makes building secure systems very hard. Make just one mistake, and compromising your system becomes literal child's play.

To fix this particular information leak, Jane should take exactly the same amount of time to return her yes/no answer, regardless of how close the guess is to the password. For example, she can simply keep checking letters even if they are incorrect. Or she could use a stopwatch and always wait to give her answer until 30 seconds have passed. Checking passwords is one of the few cases where an algorithm must be made slower to work correctly.

Like what you read? Lauren Ipsum is a children's story about computer science. Buy a copy and help us translate it into Spanish, Portuguese, and other languages.