I'm curious, to what extent are passwords exploitable if the underlying password comparison is vulnerable to timing attacks. My main concern is that internet speed continuously varies, webserver response times change depending on server load, etc.
Asked
Active
Viewed 1,389 times
1 Answers
1
If the timing difference is in plaintext password comparison, it is not really feasible to do this over the Internet. However, it is often possible for the attacker to get access to a computer in the same network, or even to a VM on the same hardware, by hosting his attack with the same hosting provider as the target web site.
If the site uses hashed passwords and compares the hashes instead of the plaintext password, this timing attack scenario doesn't apply anymore.
Sjoerd
- 28,707
- 12
- 74
- 102
-
The last sentence is not entirely true. Beware of comparing hashes with '===' as it is still sensitive to timing attack However having a comparison that always takes the same amount of time to compare the two strings is safe against timing attacks – Tofandel Feb 11 '20 at 13:03