tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: const time authentication in bozohttpd



On Wed, Jun 25, 2014 at 07:35:12AM +0000, shm wrote:
>  bozohttpd currently checks password using strcmp, which may leak information
> about compared data, my patch [1] introduces following countermeasures:

Personally, I would find it much more useful to allow using cdbr(3) for
indexed access. Pad the username to the maximum length found and it all
boils down to the user having consistent crypt(3) hash settings. Even
without the latter, you can't distinguish a valid username from an
invalid one, just that you have a set of accounts using shared hash
settings.

Joerg


Home | Main Index | Thread Index | Old Index