Re: lock(1): use crypt_checkpass(3) for one-off keys

> On Jun 26, 2017, at 10:49 PM, Ted Unangst wrote: > > [...] > >> >> CC'd tedu@ because I'm not sure if I'm using crypt_newhash(3) >> correctly. >> >> Ted: In other places people use _PASSWORD_LEN for the length >> of the hash buffer. Clearly this works, but it

Re: lock(1): use crypt_checkpass(3) for one-off keys

Scott Cheloha wrote: > Hi, > > Using strcmp(3) to check a password is just asking for a timing > attack. > > I admit that setting up such an attack on a custom lock(1) key at, > say, a physical terminal would be cumbersome, so maybe this is just > paranoia. > > However, passwords *do* get