[erlang-questions] Two beautiful programs - or web programming made easy

Robert Raschke <>
Wed Feb 16 10:58:08 CET 2011


Well, I would have thought that kind of depends on what you're wanting to
protect, and who from, no? Would you refrain from using a forum if they sent
you your password?

When talking about security there is no such thing as a general approach.
You need to look at the particular threats and risks to figure out how much
and how good your security must be.

This threat and risk analysis appears to be common practice in other fields,
but tends to be ignored in the IT world, where a whole industry revolves
around some magical maximum security.

Robby

On Wed, Feb 16, 2011 at 7:54 AM, Håkan Huss <> wrote:

> You didn't really time the function, you made sure that the second
> page was non-existant and checked whether or not it had been created
> after the call. See for instance
>
>
> http://groups.google.com/group/alt.folklore.computers/msg/00d243bb0caa9f69?dmode=source&pli=1
>
> Anyway, no-one stores passwords in plain text these days, right? (I
> always check the "forgot password" mechanism of web sites that I sign
> up to. If they can send me my password I tend to be wary of their
> security. If they offer to reset my password, they at least got one
> thing right...).
>
> Regards,
> /Håkan
>
> On Wed, Feb 16, 2011 at 07:17, Bengt Kleberg <>
> wrote:
> > Greetings,
> >
> > Google does not find anything about this so from memory:
> >
> > The password had to be stored on two different virtual memory pages. You
> > started with the first character on page one, and the rest on page 2.
> > The library function that checked if this was the right password would
> > return faster if the character on page one was correct. After trying all
> > possible first characters you would then know the correct character.
> > Then put both the correct first character and another (probably wrong)
> > character one virtual memory page one, the rest on page two. Repeat.
> >
> >
> > bengt
> >
> > On Tue, 2011-02-15 at 21:59 +0100, Robert Virding wrote:
> >> ----- "Jesper Louis Andersen" <> wrote:
> >>
> >> > Beware the side-channel attack. Crypto done right, mathematically, is
> >> > not secure anymore. You need certain functions to take the same
> >> > amount
> >> > of time always, or you can gleam off bits from information theoretic
> >> > attacks.
> >>
> >> This reminds of something from the annals of history, from the golden
> age of computing. Apparently on a Dec-10 you could tell how many of the
> characters in an attempted password were correct by the time it took for the
> system to return that it was an illegal password. Or so the legends say.
> >>
> >> Robert
> >>
> >
> >
> > ________________________________________________________________
> > erlang-questions (at) erlang.org mailing list.
> > See http://www.erlang.org/faq.html
> > To unsubscribe; mailto:
> >
> >
>
> ________________________________________________________________
> erlang-questions (at) erlang.org mailing list.
> See http://www.erlang.org/faq.html
> To unsubscribe; mailto:
>
>


More information about the erlang-questions mailing list