Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

An interesting demo: [1] By not doing all 3 hashes, an attacker might realise that the password they sent passed, say, 2 checks, but not the third. This discloses information about the relationship between the password the attacker just tried and the correct password.

[1] http://carlos.bueno.org/2011/10/timing.html



I'm not sure how this is applicable here, if the attacker passes any of the tests then they are able to log in


Indeed, stupid logic on my part.


I see the problem in theory, but in reality, the time of a couple of hash functions compared to network latency and application server routing would be quite small. Can timing attacks actually work in such situations?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: