Find a way to not use == in the README #8

alex · 2014-03-26T16:41:40Z

I don't think it's actually exploitable as a timing attack (in fact I'm pretty sure it's not), but I think it'd be good hygeine to offer a check_password function or similar and use that, so we dont' have to expose a general purpose constant time comparison function.

charmander · 2014-07-19T00:32:47Z

It’s nice not to expose a general-purpose constant-time comparison function for sure, since it’s not bcrypt’s job to do that, but you’re right that that particular timing attack doesn’t work against bcrypt either; why would it need one in the first place, exposed or not?

wbolster · 2015-03-23T10:12:04Z

Fwiw, the standard library provides hmac.compare_digest() since 2.7.x.

See pyca#8

reaperhulk · 2016-06-28T19:54:08Z

#76 will solve this

paragonie-scott added a commit to paragonie-scott/bcrypt that referenced this issue Feb 15, 2016

Update README.rst

b01bd27

See pyca#8

paragonie-scott mentioned this issue Feb 15, 2016

Update README.rst #60

Closed

mmerickel mentioned this issue Feb 27, 2016

wiki2 authentication bug fix and improvement against timing attack Pylons/pyramid#2379

Merged

dstufft mentioned this issue Jun 30, 2016

Use checkpw() instead of == #86

Merged

reaperhulk closed this as completed in #86 Jun 30, 2016

github-actions bot locked as resolved and limited conversation to collaborators Aug 15, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Find a way to not use == in the README #8

Find a way to not use == in the README #8

alex commented Mar 26, 2014

charmander commented Jul 19, 2014

wbolster commented Mar 23, 2015

reaperhulk commented Jun 28, 2016

Find a way to not use == in the README #8

Find a way to not use == in the README #8

Comments

alex commented Mar 26, 2014

charmander commented Jul 19, 2014

wbolster commented Mar 23, 2015

reaperhulk commented Jun 28, 2016