#20760: Account enumeration through timing attack in password verification in
django.contrib.auth
-------------------------------------+-------------------------------------
Reporter: jpaglier@… | Owner: anonymous
Type: Bug | Status: assigned
Component: contrib.auth | Version: 1.5
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
authentication timing enumeration | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 1
Needs tests: 1 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by jpaglier):
Patch written using the set_password() solution, including a test. This
solution will still have a timing difference due to the lack of a hash
comparison in the case of a failed lookup, on top of those that have
already been decided to have been acceptable. Test definitely needs a set
of fresh eyes to check it over, it's late enough that I probably made a
mistake.
Erik, if you have time could you check out what the difference looks like
with this new one?
--
Ticket URL: <https://code.djangoproject.com/ticket/20760#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/074.61b0ddc92dbc9d26ab098fe1ee5ca5ec%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
