Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Added unneeded hashing operation on login with nonexistent user #216

merged 1 commit into from

2 participants


Currently, if a user submits an identity and password to the login form, and the identity is not in the database, the form returns an error immediately. If the identity is in the database, the supplied password is checked against the stored hash, which takes a fraction of a second longer.

However, the difference is noticeable (about 100ms on my machine, using bcrypt with 10 rounds), which means that it would be possible for someone to determine if an account exists by the amount of time it takes for the login form to be processed.

I added a call to hash_password to the login() method to make the processing time when the user doesn't exist more equitable.


VERY good thinking dude. Thanks!


So is this good to go?


Sorry, I thought I merged it in.

@benedmunds benedmunds merged commit c578048 into benedmunds:2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 3, 2012
  1. @michaelbrooks

    Added unneeded hashing operation on failed login to prevent detection…

    michaelbrooks committed
    … of registered identities because of timing.
This page is out of date. Refresh to see the latest.
Showing with 3 additions and 0 deletions.
  1. +3 −0  models/ion_auth_model.php
3  models/ion_auth_model.php
@@ -868,6 +868,9 @@ public function login($identity, $password, $remember=FALSE)
+ //Hash something anyway, just to take up time
+ $this->hash_password($password);
Something went wrong with that request. Please try again.