Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-1616

Password utility: prevent timing attacks

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.20
    • Component/s: security
    • Labels:
      None

      Description

      Currently, password hashes are compared by looping over the hash and stopping on the first mismatch. In theory an attacker can launch a timing attack.

      I don't think it's a problem by itself in practice, but it might in combination with other issues. For example, if the hash algorithm is somewhat broken, or the salt is known to the attacker.

      But anyway, it's easy to fix, so I think it should be fixed.

        Attachments

          Activity

            People

            • Assignee:
              thomasm Thomas Mueller
              Reporter:
              thomasm Thomas Mueller
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: