On Fri, Sep 30, 2011 at 6:43 AM, Dmitry Chestnykh <dmi...@codingrobots.com> wrote: > I'm mostly concerted about cookies, as it's impossible to time non-plain-text > passwords -- the > attacker simply cannot supply passwords which, when hashed, have a few bytes > of hash > modified (that is, when you supply "password", the server looks for > "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" in the database, it's impossible > [at least > now, with SHA-1] to supply such password which hash has, say, "5baa61" in the > beginning, > but a different ending).
Actually, you can do this with a hash. When it comes to comapring 2 hashes, they are still strings of charcters. If anything, the timing attack would save even more time since, for purposes of camparing 2 strings, the hash is just a much longer password. The question then is, is the hash long enough to make the timing attack impractical? _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users