|
|
|
|
|
|
by CiPHPerCoder
3402 days ago
|
|
|
> The author mentions that you can tell how much of the hashes match because the compare function exits early if they do. This might be true, but it doesn't give you anything. I think you may be confused. The article discussed two cases initially: 1. Username and password hash. 2. Naked string used in a SELECT query. The latter case is where the timing leak can occur. That password_verify() is constant-time is just a nice-to-know defense-in-depth feature, not a must-have. (Disclaimer: I am the author.) |
|
|