You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello,
I am a bit concerned by the example presented.
Indeed the hash function is likely to take some time and therefore even if the email is not leaked by the error message, it is instead leaked by the difference of time the server took to respond.
A better way in my opinion would be to compute an hash in all cases like:
// Validating the existence of a user with the specified email.constexistingUser=awaitUser.findOne({ email });if(!existingUser){let_=awaitbcrypt.compare(password,"fake password used to counter timing attack");returnres.status(401).json({errorMessage: "Invalid email or password."});}// Validating the password attributed to that User object with the passwordHash// from the database.constpasswordCorrect=awaitbcrypt.compare(password,existingUser.passwordHash);if(!passwordCorrect){returnres.status(401).json({errorMessage: "Invalid email or password."});}
I understand the extra line can undermine the point about error messsages which is the crucial first step, but I feel like at least an extra note about it should be added at the end.
The text was updated successfully, but these errors were encountered:
Hello,
I am a bit concerned by the example presented.
Indeed the hash function is likely to take some time and therefore even if the email is not leaked by the error message, it is instead leaked by the difference of time the server took to respond.
A better way in my opinion would be to compute an hash in all cases like:
I understand the extra line can undermine the point about error messsages which is the crucial first step, but I feel like at least an extra note about it should be added at the end.
The text was updated successfully, but these errors were encountered: