|
|
|
|
|
|
by pacaro
5054 days ago
|
|
|
Looking at the bigger picture of login/auth, timing might easily tell you the difference between valid and invalid usernames (information that you would not normally expect to leak from login) A clumsy password implementation may give away information about valid password rules, imagine a system that validates passwords for length/complexity etc. (either before or after hashing) and rejects based on that, without comparing the hash values (or worst case, without even performing the hash) again more information has been leaked in the timing. |
|
|