|mediawiki/core : master||Changing "===" on secrets to hash_equals to protect from timing attacks.|
@Bawolff - Could just do a hash_equals here like you did in T207778, though $username would typically be fairly public, no? Not sure what an attacker might gain from a timing attack in this instance, as compared to the example in T207778.
Yeah, the username is public. I think the password should be considered sensitive at this point, and anything doing comparisions on it should use hash_equals() instead of ===. I think its a very low priority issue, just something to do when stuff calms down.
Sounds good to me. Even as far as timing attacks this is extremely minor (read impossible) as its only comparing the entered password not actual. But i think its good to use hash_equals for any comparison involving a password just in case