Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make server wait a random amount of time when username is bad to mimic password being bad #11

Open
cgm616 opened this issue Apr 22, 2017 · 2 comments
Open

Make server wait a random amount of time when username is bad to mimic password being bad #11

cgm616 opened this issue Apr 22, 2017 · 2 comments
Assignees
@cgm616
Labels
security-flaw
Milestone
v1 (launch)

Comments

@cgm616
Copy link
Owner

cgm616 commented Apr 22, 2017

When logging in, if the username is not in the database the response will come back almost immediately, because the database call takes relatively less time than hashing a password to see if it is correct. Therefore, an attacker can mine our database for usernames by testing to see what combinations of login usernames go fast compared to waiting for hashing.

To prevent this, the server should wait a random-but-plausable amount of time after deciding that a username is bad before sending a response.
@cgm616 cgm616 added this to the v1 (launch) milestone Apr 22, 2017
@cgm616 cgm616 self-assigned this Apr 22, 2017
@cgm616
Copy link
Owner Author

cgm616 commented May 3, 2017

This might rely on asynchronous Rocket, because otherwise it will stall our entire server on the wait... Check out rwf2/Rocket#17.

@cgm616
Copy link
Owner Author

cgm616 commented May 3, 2017

For prod, probably some sort of nginx reverse proxy can be used to circumvent this: check out rwf2/Rocket#243.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cgm616 cgm616

Labels
security-flaw
Projects
None yet
Milestone
v1 (launch)
Development

No branches or pull requests
1 participant
@cgm616