-
Marco De Donno authoredThis commit will add a time waste function if the username is not present in the database. This is done to prevent the data extraction, in this case the presence or not, of a username based upon the execution time for the login process. In the configuration file, the 'fake_hash' variable is computed with the input data "fake_data" and the salt "fake_salt" to be transparent about the data used as input for the hashing function. The comparison with the 'verify()' function is a boolean (always True in this case), and is not used in any useful way in the login process. This waste of time is done even if the risk factor is very small (not to say inexistent). The location of this function call is designed to be only present if the username provided as input does not exists in the database. This is done to not impact real users.
Marco De Donno authoredThis commit will add a time waste function if the username is not present in the database. This is done to prevent the data extraction, in this case the presence or not, of a username based upon the execution time for the login process. In the configuration file, the 'fake_hash' variable is computed with the input data "fake_data" and the salt "fake_salt" to be transparent about the data used as input for the hashing function. The comparison with the 'verify()' function is a boolean (always True in this case), and is not used in any useful way in the login process. This waste of time is done even if the risk factor is very small (not to say inexistent). The location of this function call is designed to be only present if the username provided as input does not exists in the database. This is done to not impact real users.
Loading