|
Give the same error if the username doesn't exist or if the password
is wrong. If we deliver separate errors, we tell the attacker whether
they've picked a valid password or not.
Also, if username doesn't exist, hash the password anyway to avoid
this timing side-channel attack:
1. Invalid Username:
A. User tries to log in with invalid username.
B. User name is not found in database.
C. Password is never hashed.
2. Invalid Password:
A. User tries to log in with valid username.
B. User name is found in database.
C. Password is hashed.
Given that proper password hashing will take a minute, *not* hashing
the password takes so much less time that we've effectively indicated
to the attacker that the username didn't exist, regardless of the
error message. This way, no such error occurs.
|