When attempting to authenticate, if a user does not exist the it will throw invalidCredentialsError, while when a user exists it takes much longer as the attempted password gets hashed and compared with the stored password. This allows for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.
A way to mitigate this is to run a hash of a dummy password that is guaranteed to fail.
When attempting to authenticate, if a user does not exist the it will throw
invalidCredentialsError, while when a user exists it takes much longer as the attempted password gets hashed and compared with the stored password. This allows for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.A way to mitigate this is to run a hash of a dummy password that is guaranteed to fail.