OAuth, OpenID Password Crack Could Affect Millions
CWmike writes "Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites such as Twitter and Digg. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This may all sound very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft's Xbox 360 gaming system, and people who build smart cards have added timing attack protection for years. The researchers plan to discuss their attacks at the Black Hat conference later this month in Las Vegas."
Nevermind that hashing will take a hell of a lot longer than check the entire plaintext password. Nevermind that checking the entire plaintext password is valuable if security matters (and presumably, security is the value of hashing, unless you want to build a reverse lookup table of passwords).
You are beginning to sounds like a troll.
Palm trees and 8