undefined | Better HN

0 pointsfoota6y ago0 comments

Nit: I don't believe that comparing hashes in constant time is important, as long as you accept the user's password and then hash it, since being able to find the prefix of the hash is computationally just as hard as reversing the hash.

Though it doesn't hurt to do anyway :)

It is important when comparing (some forms of) auth tokens, such as csrf tokens.

0 comments

thephyber6y ago

Side note: Using the language the correct way to compare hashes is important. Researchers found that PHP can coerce strings into scientific notation if the hash begins with “0e...” and using the == != operators, thereby causing a massive error space[1]

[1] http://www.darkreading.com/vulnerabilities---threats/php-has...

footaOP6y ago

sob

j / k navigate · click thread line to collapse