New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example in readme is vulnerable to timing attack #56

Closed

LostKobrakai opened this issue Jul 17, 2019 · 1 comment · Fixed by #57

LostKobrakai commented Jul 17, 2019

    user = Repo.get_by(User, email: username)

    cond do
      user == nil                            -> {:error, :no_user_found}
      check_pw(user.password_hash, password) -> {:ok, user}
      true                                   -> {:error, :invalid_password}
    end

Even if no user was found the pw should be checked to ensure response timings are consistent for both.

The text was updated successfully, but these errors were encountered:

LostKobrakai changed the title ~~Example in readme is vulnerable to timing attacks~~ Example in readme is vulnerable to timing attack

danschultzer mentioned this issue

Prevent timing attack in readme example #57

Merged

Owner

danschultzer commented Jul 17, 2019

Thanks! I've opened #57 that improves the example.

danschultzer mentioned this issue

Timing attacks pow-auth/pow#238

Closed

danschultzer closed this as completed in #57

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment