A timing attack is a side-channel vulnerability where an adversary gains information by measuring differences in the time an application takes to perform operations. For example, an application may respond faster when a username is invalid, but take longer when the username is valid and only the password is incorrect (due to password hash calculation or additional database lookups). By precisely measuring these discrepancies, an attacker can enumerate valid usernames or infer secret values such as cryptographic keys.

Remediation

• Use constant-time or atomic operations for all security-sensitive comparisons (e.g., authentication, cryptographic checks).
• Replace standard string or byte comparisons with constant-time functions that do not short-circuit on mismatches.
• Introduce uniform response times for authentication endpoints, independent of input validity.
• For cryptographic operations, use well-vetted libraries that already implement constant-time algorithms.