If the username does not exist, you still want to run a bcrypt compare.
The reason for this is that your requests will take on average the same time for an existing and a non-existing user, which prevents timing attacks (where the attacker can see if a username exists by simply timing the response times; the "slower" response times are where the backend is also doing password validation, and thus the username exists).
If the username does not exist, you still want to run a bcrypt compare.
The reason for this is that your requests will take on average the same time for an existing and a non-existing user, which prevents timing attacks (where the attacker can see if a username exists by simply timing the response times; the "slower" response times are where the backend is also doing password validation, and thus the username exists).
I learned about this myself when developing a backend in Elixir, I recommend reading the last bit of hexdocs.pm/comeonin/Comeonin.html#...
Intresting! I'll definitely read about that. Thank you for sharing the resource