Two security researchers say that a security flaw in software libraries used to authenticate user names and passwords could be vulnerable to a known type of cryptographic attack called a timing attack. Due to the fact that many login systems check passwords one character at a time, the idea behind implementing a successful timing attack is to guess the password by measuring how long it takes a computer to reject an invalid authentication attempt--advancing one character at a time.

It is not a new concept; the Computerworld article points out that this kind of attack can be used to hack into Microsoft's Xbox 360. The unpredictable nature of WAN connections and the Internet though, means that few security researchers ever considered a timing attack to be workable on networked computers.

However, Researchers Nate Lawson and Taylor Nelson say they have proved it to be doable, with the use of algorithms designed to weed out what they call the "network jitter." They are scheduled to give a talk on precisely this topic at the Black Hat Conference held later this month.

For more on this story:
- check out this article at Computerworld 

Related Articles:
Hackers break into Apache project server
Open source data centers in the wings
OpenOffice.org releases OpenOffice 3.2
Adobe ranks second on buggiest software list