#20760: Account enumeration through timing attack in password verification in
django.contrib.auth
-------------------------------------+-------------------------------------
Reporter: jpaglier@… | Owner: anonymous
Type: Bug | Status: assigned
Component: contrib.auth | Version: 1.5
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
authentication timing enumeration | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 1
Needs tests: 1 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by aaugustin):
Oh, I see.
I'd like to avoid the penalty of running the hasher twice when the
username exists, because it adds up to a few hundred milliseconds to the
response time of the login view.
--
Ticket URL: <https://code.djangoproject.com/ticket/20760#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/074.6bd24146690594c659bdf0b921935296%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
