Constant-time string comparison to prevent timing attacks

jpvanhal / flask-basicauth

HTTP basic access authentication for Flask.

https://flask-basicauth.readthedocs.io/

Other

85 stars 27 forks source link

Open mgates opened 9 years ago

mgates commented 9 years ago

return password == "password" is vulnerable to timing attacks. Something like https://github.com/PeterScott/streql should be used to prevent them.

I can make a PR if you want.

mdavis-xyz commented 1 year ago

Would this slow down the performance of web pages noticeably? If so, should we make this optional?