Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My guess is that so people who manage to access database backup cannot hijack accounts plus it gives a good defence against timing attacks as a bonus.


More generally it protects against anybody who has access to the database, including bad actors if it's leaked.

I don't think it protects against timing attack because the common way of doing it is just to use sha256 and use the resulting hash to do a lookup in the database. This is not a fixed time operation


Suppose you used the timing attack to recover the hash of a token, now you need to compute a preimage of the hash.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: