On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.

By submitting signatures again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct digital signature.