Yeah could the DB token lookup timings by itself be used to *find* a real token?...

		infogulch on Jan 16, 2018 \| parent \| context \| favorite \| on: Ask HN: What's the recommended method of adding au... Yeah could the DB token lookup timings by itself be used to find a real token? It might be several layers deep and DBs are noisy, but I think it's still possible in theory. Could you get around this by only storing some hash of both the token and a DB secret?