Why should password hash verification be time consistent?Why is it always `HASH( salt + password )` that we recommend?What encryption hash function I should use for password securing?Why we use GPG signatures for file verification instead of hash values?Why should I hash passwords?Should email verification be followed by password-based login? Why?Potential collision with hash passwordWhy is hashing a password with multiple hash functions useless?Why should password authentication require sending the password?Send hash password or send password to hash in server?Why should we protect access to password hashes?

Why do the Avengers care about returning these items in Endgame?

Are wands in any sort of book going to be too much like Harry Potter?

how to find out if there's files in a folder and exit accordingly (in KSH)

Has everyone forgotten about wildfire?

Why is there a cap on 401k contributions?

Equation of the line that lies tangent to both circles

What dice to use in a game that revolves around triangles?

Ugin's Conjurant vs. un-preventable damage

Was the Highlands Ranch shooting the 115th mass shooting in the US in 2019

How can I test a shell script in a "safe environment" to avoid harm to my computer?

Integral with DiracDelta. Can Mathematica be made to solve this?

Narcissistic cube asks who are we?

Is every story set in the future "science fiction"?

Was there a contingency plan in place if Little Boy failed to detonate?

Is there any evidence to support the claim that the United States was "suckered into WW1" by Zionists, made by Benjamin Freedman in his 1961 speech

Why use steam instead of just hot air?

Is it a good idea to copy a trader when investing?

TeX Gyre Pagella Math Integral sign much too small

Lorentz invariance of Maxwell's equations in matter

Does a surprised creature obey the 1st level spell Command?

How come mathematicians published in Annals of Eugenics?

What does the "DS" in "DS-..." US visa application forms stand for?

Why does the electron wavefunction not collapse within atoms at room temperature in gas, liquids or solids due to decoherence?

Is it safe to keep the GPU on 100% utilization for a very long time?



Why should password hash verification be time consistent?


Why is it always `HASH( salt + password )` that we recommend?What encryption hash function I should use for password securing?Why we use GPG signatures for file verification instead of hash values?Why should I hash passwords?Should email verification be followed by password-based login? Why?Potential collision with hash passwordWhy is hashing a password with multiple hash functions useless?Why should password authentication require sending the password?Send hash password or send password to hash in server?Why should we protect access to password hashes?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3















In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method



 /// <remarks>Implementations of this method should be time consistent.</remarks>


And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.



// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)



At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.



However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.



What is the purpose of ensuring a constant time hash verification?






passwords hash







share|improve this question







New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Is that function used for anything other than comparing hashes?

    – forest
    3 hours ago











  • no it is only used for comparing hashes

    – trampster
    3 hours ago

















3















In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method



 /// <remarks>Implementations of this method should be time consistent.</remarks>


And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.



// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)



At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.



However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.



What is the purpose of ensuring a constant time hash verification?






passwords hash







share|improve this question







New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Is that function used for anything other than comparing hashes?

    – forest
    3 hours ago











  • no it is only used for comparing hashes

    – trampster
    3 hours ago













3












3








3


1






In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method



 /// <remarks>Implementations of this method should be time consistent.</remarks>


And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.



// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)



At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.



However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.



What is the purpose of ensuring a constant time hash verification?






passwords hash







share|improve this question







New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method



 /// <remarks>Implementations of this method should be time consistent.</remarks>


And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.



// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)



At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.



However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.



What is the purpose of ensuring a constant time hash verification?






passwords hash




passwords hash






share|improve this question







New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question







New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question






New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 3 hours ago









trampstertrampster

1163




1163




New contributor



trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • Is that function used for anything other than comparing hashes?

    – forest
    3 hours ago











  • no it is only used for comparing hashes

    – trampster
    3 hours ago

















  • Is that function used for anything other than comparing hashes?

    – forest
    3 hours ago











  • no it is only used for comparing hashes

    – trampster
    3 hours ago
















Is that function used for anything other than comparing hashes?

– forest
3 hours ago





Is that function used for anything other than comparing hashes?

– forest
3 hours ago













no it is only used for comparing hashes

– trampster
3 hours ago





no it is only used for comparing hashes

– trampster
3 hours ago










1 Answer
1






active

oldest

votes


















5














Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.



More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.






share|improve this answer

























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    trampster is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209807%2fwhy-should-password-hash-verification-be-time-consistent%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.



    More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.






    share|improve this answer





























      5














      Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.



      More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.






      share|improve this answer



























        5












        5








        5







        Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.



        More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.






        share|improve this answer















        Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.



        More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 3 hours ago

























        answered 3 hours ago









        forestforest

        41.2k18132148




        41.2k18132148




















            trampster is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            trampster is a new contributor. Be nice, and check out our Code of Conduct.












            trampster is a new contributor. Be nice, and check out our Code of Conduct.











            trampster is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209807%2fwhy-should-password-hash-verification-be-time-consistent%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            Image
            Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Board. Invisi
            Read more

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Image
            Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals
            Read more

            Tom Holland Mục lục Đầu đời và giáo dục | Sự nghiệp | Cuộc sống cá nhân | Phim tham gia | Giải thưởng và đề cử | Chú thích | Liên kết ngoài | Trình đơn chuyển hướngProfile“Person Details for Thomas Stanley Holland, "England and Wales Birth Registration Index, 1837-2008" — FamilySearch.org”"Meet Tom Holland... the 16-year-old star of The Impossible""Schoolboy actor Tom Holland finds himself in Oscar contention for role in tsunami drama"“Naomi Watts on the Prince William and Harry's reaction to her film about the late Princess Diana”lưu trữ"Holland and Pflueger Are West End's Two New 'Billy Elliots'""I'm so envious of my son, the movie star! British writer Dominic Holland's spent 20 years trying to crack Hollywood - but he's been beaten to it by a very unlikely rival"“Richard and Margaret Povey of Jersey, Channel Islands, UK: Information about Thomas Stanley Holland”"Tom Holland to play Billy Elliot""New Billy Elliot leaving the garage"Billy Elliot the Musical - Tom Holland - Billy"A Tale of four Billys: Tom Holland""The Feel Good Factor""Thames Christian College schoolboys join Myleene Klass for The Feelgood Factor""Government launches £600,000 arts bursaries pilot""BILLY's Chapman, Holland, Gardner & Jackson-Keen Visit Prime Minister""Elton John 'blown away' by Billy Elliot fifth birthday" (video with John's interview and fragments of Holland's performance)"First News interviews Arrietty's Tom Holland"“33rd Critics' Circle Film Awards winners”“National Board of Review Current Awards”Bản gốc"Ron Howard Whaling Tale 'In The Heart Of The Sea' Casts Tom Holland"“'Spider-Man' Finds Tom Holland to Star as New Web-Slinger”lưu trữ“Captain America: Civil War (2016)”“Film Review: ‘Captain America: Civil War’”lưu trữ“‘Captain America: Civil War’ review: Choose your own avenger”lưu trữ“The Lost City of Z reviews”“Sony Pictures and Marvel Studios Find Their 'Spider-Man' Star and Director”“‘Mary Magdalene’, ‘Current War’ & ‘Wind River’ Get 2017 Release Dates From Weinstein”“Lionsgate Unleashing Daisy Ridley & Tom Holland Starrer ‘Chaos Walking’ In Cannes”“PTA's 'Master' Leads Chicago Film Critics Nominations, UPDATED: Houston and Indiana Critics Nominations”“Nominaciones Goya 2013 Telecinco Cinema – ENG”“Jameson Empire Film Awards: Martin Freeman wins best actor for performance in The Hobbit”“34th Annual Young Artist Awards”Bản gốc“Teen Choice Awards 2016—Captain America: Civil War Leads Second Wave of Nominations”“BAFTA Film Award Nominations: ‘La La Land’ Leads Race”“Saturn Awards Nominations 2017: 'Rogue One,' 'Walking Dead' Lead”Tom HollandTom HollandTom HollandTom Hollandmedia.gettyimages.comWorldCat Identities300279794no20130442900000 0004 0355 42791085670554170004732cb16706349t(data)XX5557367

            Image
            Sinh 1996Nhân vật còn sốngNam diễn viên Anh 1 tháng 61996người AnhNhà hát cung điện VictoriaLuân ĐônSpider-ManMarvel Cinematic UniverseKingston upon ThamesLuân ĐônIsle of ManIrelandDonheadCông giáo La MãWimbledonWimbledonCông giáo RômaNifty Feet Dance SchoolLynne PageBilly ElliotBilly Elliot the MusicalWest EndBilly Elliot The MusicalTanner PfluegerBilly ElliotsTanner PfluegerLayton WilliamsAngry DanceBilly Elliot the MusicalMyleene KlassBilly Elliot the Musical10 Downing StreetGordon BrownWolf HallBBC TwoGregory CromwellThomas CromwellMark RylanceBeneath a Scarlet SkyLip Sync BattleZendayaGiải Oscar cho hiệu ứng hình ảnh xuất sắc nhấtGiải thưởng Viện Hàn lâmTội phạm nhân bản 2049Jimmy Kimmel Live!Người nhệnGhibli StudioJuan Antonio BayonaNaomi WaHttsEwan McGregorLiên hoan phim Quốc tế TorontoLondon Film CriticsSaoirse RonanRon HowardPeter ParkerSpider-ManMarvelCharlie HunnamJames GraySamuel InsullAlfonso Gomez-RejonPatrick Ness Chaos WalkingDaisy RidleyDoug LimanNathan DrakeUnchartedN
            Read more