Code improvement

Add a javascript in all site page
Ensure that every time the correct password is supplied the same time is required to display the page regardless if the user is logged or not
Don't use iframe for the implementation of the site. The problem is that people may get stuck because they did not realize they did not view the sources of every page.

Feedback

Make sure you understand how setTimeout and closures work in Javascript. In particular be mindful of things that belong in quotes or don't in the first parameter of setTimeout. The newsgroup post on using setTimeout should help.
img.onerror = function() { /* your code here */ }; You are setting an event handler and the code inside the function is not executed until the event (image onerror) is fired.
For part 1: If onerror happens before the code in the timeout is executed then the port is open. If the code in the timeout executed first then the port is closed.
For part 2: Queue your testing of each password somehow (don't do things in a for loop). If you try all 217 passwords at once in a loop all your timing data will be incorrect.
You can import the password list by doing the following: . This will give you an array called passList that you can use in your code.
For part 3, make sure you find all accessible files when you are logged in and see what they look like when you are logged in and when you are not

For part 3, a hint from part 2 is very helpful
Newsgroup post explaining a couple different uses of setTimeout and what variables are availiable when
Avoid caching from messing with the timing, by adding a random number to the end of your query string when calibrating passwords
For part 2, require that they logout first to facilitate grading
For part 2, maybe remove the calibration requirement? Have to rethink the timing deal, since it is somewhat flaky depending on the students environment.