Why would an incorrect password attempt take a lot longer to process than a correct one?
Solution 1:
There's probably an artificial timeout built-in to make it harder for a brute force attack to succeed.
You will see this on many login prompts that involve secure authentication...
Solution 2:
This is some intended delay to prevent brute force attacks. A longer delay also prevents the attacker being able to guess the difference between username is wrong and password is wrong (hashing and checking the password takes noticeable longer time than checking the username).
Solution 3:
Technically, this deliberate delay is to prevent attacks like the "Linearization attack" (there are other attacks and reasons as well).
To illustrate the attack, consider a program (without this deliberate delay), which checks an entered serial to see whether it matches the correct serial, which in this case happens to be "xyba". For efficiency, the programmer decided to check one character at a time and to exit as soon as an incorrect character is found, before beginning the lengths are also checked.
The correct serial length will take longer to process than an incorrect serial length. Even better (for attacker), a serial number that has the first character correct will take longer than any that has an incorrect first character. The successive steps in waiting time is because each time there's one more loop, comparison to go through on correct input.
- So, attacker can select a four-character string and that the string beginning with x takes the most time. (by guess work)
- Attacker can then fix character as x and vary the second character, in which case they will find that y takes the longest.
- Attacker can then fix the first two characters as xy and vary the third character, in which case they will find that b takes the longest.
- Attacker can then fix the first three character as xyb and vary the fourth character,in which case they will find that a takes the longest.
Hence, the attackers can recover the serial one character at a time.
Linearization.java.
Linearization.docx, sample output
The serial number is four characters long ans each character has 128 possible values. Then there are 1284 = 228 = 268,435,456 possible serials. If attacker must randomly guess complete serial numbers, she would guess the serial number in about 227 = 134,217,728 tries, which is an enormous amount of work. On the other hand, by using the linearization attack above, an average of only 128/2 = 64 guesses are required for each letter, for a total expected work of about 4 * 64 = 28 = 256 guesses, which is a trivial amount of work.
Much of the written martial is adapted from this (taken from Mark Stamp's "Information Security: Principles and Practice"). Also the calculations above do not take into account the amount of guesswork needed to to figure out the correct serial length.