Minimizing the Timing Differences

Sign in to the appliance to access different features provided. If incorrect credentials are used to sign in, the request is denied and the server sends an appropriate response indicating the reason for failure to log in. The time taken to send the response varies based on the different authentication failures, such as invalid password, invalid username, expired username, and so on. This time interval is vulnerable to security attacks for obtaining valid users from the system. Thus, to mitigate such attacks, the time interval to reduce the response time between an incorrect sign-in and server response can be minimized. To enable this setting, toggle the value of the Minimize the timing differences option from the ESA CLI Manager to Yes.

The default value of the Minimize the timing differences option is No.

When trying to log in with a locked user account, a notification indicating that the user account is locked appears. This notification will not appear when the value of Minimize the timing differences option is Yes. Instead you will get a notification indicating that the username or password is incorrect.