And it is unfortunately also all to easy to introduce errors during design or coding that no one will ever notice until its too late, like forgetting to actually check the password, do it wrong (Apples recent SSL bug in Safari comes to mind), duplicating same password to different users, allowing session hijacking, and so on, all depending on the specific context of the system and how its implemented of course. For instance, a naive rejection of wrong passwords based on comparing bytes can leak information and open the system for timing attacks, low entropy during password generation can make the password much easier to guess (as Bill mentions), and if the passwords are sent to the system in the clear an attacker can simply eavesdrop on the communication to get one.
Usually a password system have to be designed with care to avoid weaknesses, that is, attacks that on average will do far better than brute-force searching for the correct combination of characters.
0 kommentar(er)
