Timing Attack Demo

This page demonstrates a timing side-channel vulnerability where password comparison timing leaks information about the correct password.

Try these guesses to see timing differences:

About this vulnerability:

Timing attacks are a type of side-channel attack where an attacker learns information about secret data by measuring how long operations take.

The Problem:

The comparison stops as soon as it finds a mismatch – a performance optimisation
More correct characters = longer execution time (1ms per correct character in this example, greatly exaggerated!)
Attackers can guess the password character-by-character by measuring response times
This is much, much faster than brute-force attempts

Attack Strategy:

Try all characters at position 0, measure timing
The slowest response reveals the correct first character
Differences will be very small, so may need to repeat requests to get reliable timing data
Repeat for position 1, 2, 3... until full password is discovered

How to fix it:

Use constant-time comparison: Always compare the entire string, don't exit early
Use built-in functions: PHP's hash_equals() and password_verify() are designed for timing-safe comparison
Rate limiting: Limit login attempts to make timing analysis impractical

Secure Example:

// SECURE: Constant-time comparison
if (hash_equals($secret_password, $guess)) {
    // Correct password
} else {
    // Incorrect password
}

// Or for hashed passwords:
if (password_verify($guess, $hashed_password)) {
    // Correct password
}