#15627: check_password should use constant_time_compare instead of == to check passwords ---------------------------------------------+----------------------- Reporter: hvdklauw | Owner: nobody Status: closed | Milestone: 1.3 Component: Authentication | Version: 1.3-rc1 Resolution: fixed | Keywords: Triage Stage: Ready for checkin | Has patch: 1 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | ---------------------------------------------+-----------------------
Comment (by russellm): @luke - Yeah - I knew it would be extremely hard to turn this into a functional attack, but it cost nothing to make the change, on the off chance that anyone ever found a way to construct a hash-based timing attack, we're pre-emptively protected. -- Ticket URL: <http://code.djangoproject.com/ticket/15627#comment:4> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.