Make login failure time consistent #170

Closed
opened 6 years ago by trinity-1686a · 0 comments
Owner

Login failure due to user not being found is pretty much instantaneous, where error due to invalid password take a quite long time. When we detect this is not a known user, we should compute the same password derivation function on the provided password to prevent disclosure of informations (and not really related but the cost used for password derivation should be cheaper, 6 full seconds (measured on the demo instance) of cpu usage is quite expensive)

Login failure due to user not being found is pretty much instantaneous, where error due to invalid password take a quite long time. When we detect this is not a known user, we should compute the same password derivation function on the provided password to prevent disclosure of informations (and not really related but the cost used for password derivation should be cheaper, 6 full seconds (measured on the demo instance) of cpu usage is quite expensive)
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Plume/Plume#170
Loading…
There is no content yet.