It’s All About Time: Timing attacks in PHP

$query = "SELECT * FROM users WHERE id = ?";
$stmt = $pdo->prepare($query);
$user = $stmt->fetchObject();

if ($user && password_verify($_POST['password'], $user->password)) {
    return true;
return false;

There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or not. If password_verify takes 0.1 seconds, you can simply measure that difference to determine if the username is valid or not. On average, requests for taken usernames will take longer than those for available ones.

Highly interesting read, worth your time. Be sure to read the whole thing.

It’s All About Time →


Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.