This repository has been archived by the owner on May 25, 2021. It is now read-only.
No way to "bang out" a password #9
Comments
|
Hi Paul, I'm not quite sure what you mean, are you asking for a magic string that can be passed to SCryptUtil.check() that will always result in a false match? If so that seems like something application-specific rather than belonging in a library. |
|
That's exactly what I have in mind. The downside with handling it at the application level is that the timing will be different; I'd prefer that an attacker wasn't able to tell by timing that the password was disabled. However, given that the timing of scrypt is variable anyway there may not be a good fix to that. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
If a password doesn't match the scrypt format, an IllegalArgumentException is thrown. It would be useful to have something to put in the password field that reliably matches no password, so that passwords can conveniently be disabled.
Thanks for writing this!
The text was updated successfully, but these errors were encountered: