[erlang-questions] Two beautiful programs - or web programming made easy

Håkan Huss <>
Wed Feb 16 08:54:56 CET 2011


You didn't really time the function, you made sure that the second
page was non-existant and checked whether or not it had been created
after the call. See for instance

http://groups.google.com/group/alt.folklore.computers/msg/00d243bb0caa9f69?dmode=source&pli=1

Anyway, no-one stores passwords in plain text these days, right? (I
always check the "forgot password" mechanism of web sites that I sign
up to. If they can send me my password I tend to be wary of their
security. If they offer to reset my password, they at least got one
thing right...).

Regards,
/Håkan

On Wed, Feb 16, 2011 at 07:17, Bengt Kleberg <> wrote:
> Greetings,
>
> Google does not find anything about this so from memory:
>
> The password had to be stored on two different virtual memory pages. You
> started with the first character on page one, and the rest on page 2.
> The library function that checked if this was the right password would
> return faster if the character on page one was correct. After trying all
> possible first characters you would then know the correct character.
> Then put both the correct first character and another (probably wrong)
> character one virtual memory page one, the rest on page two. Repeat.
>
>
> bengt
>
> On Tue, 2011-02-15 at 21:59 +0100, Robert Virding wrote:
>> ----- "Jesper Louis Andersen" <> wrote:
>>
>> > Beware the side-channel attack. Crypto done right, mathematically, is
>> > not secure anymore. You need certain functions to take the same
>> > amount
>> > of time always, or you can gleam off bits from information theoretic
>> > attacks.
>>
>> This reminds of something from the annals of history, from the golden age of computing. Apparently on a Dec-10 you could tell how many of the characters in an attempted password were correct by the time it took for the system to return that it was an illegal password. Or so the legends say.
>>
>> Robert
>>
>
>
> ________________________________________________________________
> erlang-questions (at) erlang.org mailing list.
> See http://www.erlang.org/faq.html
> To unsubscribe; mailto:
>
>


More information about the erlang-questions mailing list