Title of post checks out. 
2 Likes
Over? attention to detail.
1 Like
I always go with a simple rule when it comes to security: if I thought about it there are people already doing it.
Donāt show messages on the frontend(or on the server response) if an account doesnāt exist. Donāt tell people if the error on the login form is due to the email or the password. These are already being exploited by hackers/spammers/suckers.
I just went psycho thinking what if they just analyse the response time? Ergo probably itās already being done.
1 Like
Iām still trying to wrap my pea brain head around this. But it does sound like an interesting concept. 
1 Like
Time-based blind SQL injection
I was kind of thinking about that, but a fixed 200 ms delay would be easy to detect 
(no SQL injection here though in this puzzle scenario)
1 Like
I thought about randomising it a bit but given that the server already will add overhead and we have to account network latency I though it would just be enough to offset the thing by a bit. In a DB context with the ability to run queries directly on it Iām assuming itās easier to figure if certain data exists.
Yep, itās never going to be exactly 200ms so I wouldnāt bother randomising itā¦ unless you go for a wide range like 200-500ms.