The Argon2 Dummy Hash: 50 Milliseconds Between Username Enumeration and Peace of Mind

In the previous article, I described a PKCS#12 container bug on Windows. During the audit of the same authentication service, we found something more subtle: a timing oracle on the login endpoint.

The principle is simple. Send a POST to /login with an email that doesn't exist: response in 2ms. Send the same POST with an email that exists but a wrong password: response in 55ms. Same status code, same body. But 53ms difference.

An attacker sending 50 requests per candidate email gets a perfectly readable bimodal histogram. No need to crack anything: they know which accounts exist.

Why the gap exists

Argon2id is a KDF (Key Derivation Function) designed to be slow. That's its job. With standard parameters — time=1, memory=64MiB, threads=4 — a call to argon2.CompareHashAndPassword takes 40 to 80ms depending on the machine.