I assume that they are implying that the code is not constant time. In this snip... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jarito on June 16, 2015 \| parent \| context \| favorite \| on: KeePass – questionable security I assume that they are implying that the code is not constant time. In this snippet, the code bails as soon as a deviation is detected. This can, in theory, allow an attacker to determine the desired value by measuring the time taken to reject incorrect options. I haven't reviewed the code to see if this is actually a problem, but that's my guess for why it was highlighted.

mc808 on June 16, 2015 [–]

I took it to mean they should use the Linq `x.SequenceEqual(y)` instead (assuming .NET 3.5+) (and x isn't null...).

sdrapkin on June 16, 2015 | [–]

Wrong.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact