It’s All About Time: Timing attacks in PHP

$query = "SELECT * FROM users WHERE id = ?";
$stmt = $pdo->prepare($query);
$user = $stmt->fetchObject();

if ($user && password_verify($_POST['password'], $user->password)) {
    return true;
return false;

There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or not. If password_verify takes 0.1 seconds, you can simply measure that difference to determine if the username is valid or not. On average, requests for taken usernames will take longer than those for available ones.

Highly interesting read, worth your time. Be sure to read the whole thing.

It’s All About Time →


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.