|
|
|
|
|
|
by CiPHPerCoder
3561 days ago
|
|
|
> The "split token" password reset is snake oil. One of two things just happened: 1. You're being intentionally offensive where it's not really warranted
by calling this proposed strategy snake oil.
2. You don't know what snake oil means.
I'm going to assume the latter. Here's the thing: - Hash functions are deterministic. You'll make timing attacks more
difficult, but you aren't removing the underlying timing leak.
- You database engine almost certainly doesn't compare strings in
constant time in SELECT queries, so there's almost always going
to be a timing leak in SELECT queries.
- Separating the timing leak from the authentication (and making the
latter constant-time) properly alleviates this risk.
Other solutions (relying on the avalanche effect of hash functions, using a random sleep, or sleeping until a minimum amount of time has passed) are brittle and harder to reason about than solving the problem directly, which is what the article proposes.See also: http://stackoverflow.com/a/28486617/2224584 You might disagree with the technical details and arguments laid out, but it isn't snake oil. |
|
|