Prevent Timing Attacks

Question

Prevent Timing Attacks

zimt28 opened this issue 8 years ago · comments

I'm currently reading Programming Phoenix and right there the authentication method is defined like this:

def login_by_username_and_pass(conn, username, given_pass, opts) do
  repo = Keyword.fetch!(opts, :repo)
  user = repo.get_by(Rumbl.User, username: username)

  cond do
    user && checkpw(given_pass, user.password_hash) ->
      {:ok, login(conn, user)}
    user ->
      {:error, :unauthorized, conn}
    true ->
      dummy_checkpw()
      {:error, :not_found, conn}
  end
end

Quite similar to doorman's, but it also uses Comeonin's dummy_checkpw function to prevent timing attacks. It would be great if you could add this as well :)

Blake Williams · Answer 1 · Mon Aug 29 2016 03:24:24 GMT+0800 (China Standard Time)

Good call! I'll look into implementing this.

Blake Williams · Answer 2 · Mon Aug 29 2016 03:43:47 GMT+0800 (China Standard Time)

Thanks for reporting this, fixed in #13.