On Tue, Dec 03, 2013 at 08:55:47PM +0100, Laurens Van Houtven wrote: > When comparing the result of the scrypt KDF to a previously computed & > stored value (say, in the context of a stored password), is it necessary to > compare the two strings in constant time?
If the salts are large and are unpredictable by a remote attacker and are stored only along with the hashes, no. Alexander
