Remote Timing Attack vulnerability

Question

Remote Timing Attack vulnerability

Closed this issue 12 years ago · 2 comments

Comparing passwords using == or === is vulnerable to a remote timing attack.
http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/

Answer 1 · 2012-07-18T17:43:55.000Z

I've looked into this previously, and all my research indicates that this is unnecessary when dealing with proper password hashing techniques. Even the article you link states, "Using one-way hashing should defeat this because it’s very hard to work backwards from timing leaks when the attacker derived input keeps changing (hashes to a different digest each time a byte changes in the original plaintext input)."

I'll be happy to look into this again, but these issues are related more to accidental data disclosure than brute-force password cracking when hashes are in use.

Answer 2 · 2012-07-19T11:31:35.000Z

OK, no problem. Keep up the good work.