K
K
kot-airplane2018-05-04 05:43:22
Burglary protection
kot-airplane, 2018-05-04 05:43:22

What's wrong with comparing strings in constant time?

From the PHP documentation:

Note that if you are using the crypt() function to verify a password, then you need to guard against timing attacks by using string comparisons that take constant time. Neither the PHP == and === operators, nor the strcmp() function are. The password_verify() function does exactly what it needs to.

What's wrong with string comparison that takes constant time? password_verify() apparently makes it longer, preventing the enumeration, but why such a strange wording, it would be written that it works too fast, therefore, it does not fit.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question