Sign In: Timing Attack

[rwieruch]

I had a discussion on Reddit regarding the timing attack vector for the Sign In operation: https://www.reddit.com/r/nextjs/comments/1bvda9r/comment/ky0lqaw/ We came to the conclusion, that the following code snippet could add more security, because the timing of a request for a wrong username/email and password should be similar now.

    let fakePassword = createFakePasswordWithRandomRange({ 
      minChars: 1, 
      maxChars: 40 
    });

    // if (!user) {
    //  throw new Error('Incorrect email or password');
    // }

    const validPassword = await new Argon2id().verify(
      user ? user.hashedPassword : fakePassword,
      formDataRaw.password
    );

  if(!user || !validPassword)
      throw new Error('Incorrect email or password');
   }

Would this work?

[pilcrowOnPaper]

1. I don't think you need to generate a random password with each attempt. An empty string will do.
2. Do you really need to hide the username or email? Usernames are usually public info and the validity of emails can usually be checked with the registration form.

[rwieruch]

You are correct with 2), I was wondering about this too.

1. Ah okay. I thought the password length could be again timed. E.g. an empty string would be faster to verify than a longer fake password.

Thanks for your quick response here!