Thread:Talk:Requests for comment/Login via e-mail address/Timing attacks on emails with multiple accounts

One other way to avoid a timing attack when an email may be associated with multiple accounts would be to pad the time with extra password checks:
 * 1) Pick a cryptographic random number between A and B (this is R).
 * 2) * Where A is slightly higher than an estimate of the average number of users associated with an email, B is high enough that there are few emails associated with that number of accounts, and there's a bit of space between these numbers.
 * 3) * We may want a (log or exp?) scale that makes this number more likely to be smaller.
 * 4) Subtract the number of users found matching the email address which you need to check the password for from R, but cap it at 0 (this is F).
 * 5) Run a fake password check – by running an actual password verification on some dummy data then discarding the result – repeated F times.
 * 6) * If a fake password verification requires the generation of a new disposable password hash, then always generate one, even if there are no fake password verifications to do.
 * 7) Check the password for all users even after we find one that matches.

This way an attacker:
 * Cannot guess if you verified passwords on 5 users or verified 5 fake passwords for users that do not exist.
 * Without prior knowledge of the value of B. Cannot immediately know that verifying N number of passwords when N > B means that an email has to exist (because normally N is not a constant value across attempts).
 * Note that B can probably be discovered by a determined attacker. By doing timing attacks a large number of times against a single known email and keeping track of the highest N value encountered. Using a random scale that prefers lower numbers will make this harder (because values close to B will be less common) but will only mean this attack on B needs to run longer to work.
 * Alternatively, running the timing attack on an email multiple times to see if N changes would be another method (N will be constant if it is larger than B)