> On Jun 26, 2017, at 10:49 PM, Ted Unangst wrote:
>
> [...]
>
>>
>> CC'd tedu@ because I'm not sure if I'm using crypt_newhash(3)
>> correctly.
>>
>> Ted: In other places people use _PASSWORD_LEN for the length
>> of the hash buffer. Clearly this works, but it feels off.
>> _PASSWO
Scott Cheloha wrote:
> Hi,
>
> Using strcmp(3) to check a password is just asking for a timing
> attack.
>
> I admit that setting up such an attack on a custom lock(1) key at,
> say, a physical terminal would be cumbersome, so maybe this is just
> paranoia.
>
> However, passwords *do* get reused
Hi,
Using strcmp(3) to check a password is just asking for a timing
attack.
I admit that setting up such an attack on a custom lock(1) key at,
say, a physical terminal would be cumbersome, so maybe this is just
paranoia.
However, passwords *do* get reused all the time, so I think it
makes sense