Timing Attack and login System Design

Timing attacks are attacks that obtain more information by observing the time information leaked during certain operations. Because of the different design and implementation, attackers can obtain different information through timing. In short, as a security system designer, you must have a full understanding of the various channels that may leak information and take appropriate measures against them.
 
I think of an example during my discussion with people today.
 
To prevent GPU exhaustion, we may use Hash algorithms that increase the number of turns. The login process for an imperfect login system is roughly as follows:
 
Obtain the user name and password from the user input;
In the database, the corresponding password hashes are obtained from the user name. If this user is not found, the system prompts "incorrect user name or password ";
Calculate and compare the actual hash value based on the salt in the hash string and the entered password based on a certain algorithm. If the hash value does not match, the system prompts "incorrect user name or password ";
Www.2cto.com.
Suppose we use a slow enough algorithm to calculate the hash value. The problem with the above process is that if the user does not exist, although the system prompts the same "incorrect user name or password", the prompt may be slower than the user's. In this way, the login system discloses information such as "the user does not exist.
 
The remedy is to calculate the hash string based on the same algorithm when the user does not exist, and then prompt "incorrect user name or password "; another way is to increase a random latency. The specific method depends on the specific application scenario.
 
 
Delphij's Chaos