Permalink
Browse files

Hash passwords even when users don't exist.

Not hashing passwords when users don't exist means there is an
opportunity for timing attacks when people use blowfish or other
expensive hashing algorithms.
  • Loading branch information...
1 parent 2219991 commit 17e4eee73d84dbc5a65a4b9fae2adafdf6d46e45 @markstory markstory committed Jul 2, 2013
@@ -83,6 +83,9 @@ public function __construct(ComponentCollection $collection, $settings) {
* conditions for Model::find('first'). If the $password param is not provided
* the password field will be present in returned array.
*
+ * Input passwords will be hashed even when a user doesn't exist. This
+ * helps mitigate timing attacks that are attempting to find valid usernames.
+ *
* @param string|array $username The username/identifier, or an array of find conditions.
* @param string $password The password, only used if $username param is string.
* @return boolean|array Either false on failure, or an array of user data.
@@ -95,9 +98,6 @@ protected function _findUser($username, $password = null) {
if (is_array($username)) {
$conditions = $username;
} else {
- if (!$password) {
- return false;
- }
$conditions = array(
$model . '.' . $fields['username'] => $username
);
@@ -113,6 +113,7 @@ protected function _findUser($username, $password = null) {
'contain' => $this->settings['contain'],
));
if (empty($result[$model])) {
+ $this->passwordHasher()->hash($password);
return false;
}
@@ -86,7 +86,8 @@ class DigestAuthenticate extends BasicAuthenticate {
'realm' => '',
'qop' => 'auth',
'nonce' => '',
- 'opaque' => ''
+ 'opaque' => '',
+ 'passwordHasher' => 'Simple',
);
/**

0 comments on commit 17e4eee

Please sign in to comment.