Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> This doesn't address timing attacks, which are why this is done in the first place.

I don't follow. Surely the reason to hide usernames is not to prevent a timing attack that would reveal... usernames.



I might be missing what you're not following, but here's a quick explanation (and a reason why it's not a concern)

Correct username, correct password: takes 30ms to execute the code

Correct username, incorrect password: takes 15 ms to execute the code

Incorrect username: Takes 7 ms to execute the code.

You fuzz usernames, you get one that takes 15 ms, you know that's a valid username. You then start working the password.

Not necessary on most systems, because we're working at speeds that are measured in nanoseconds, and since we're using networks for many attacks, the delays are unpredictable and measured in (at least) milliseconds.


I understand how the timing attack works. I don't understand how it's a justification for hiding usernames. "You need to try to hide A because if you're not careful they can find A."

If anything the timing attacks weaken the argument against hiding usernames.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: