So we outsourced a system.
It was the most stupid thing we could've done.
It's my job to make it fucking work.

Just... Why...

@struks93 common hacker trick to brute force logins using timings... If it takes longer to check a password hash on an existing account than it does for one which doesn't exist (same with locked out accounts) then they know it is a valid login account and they can then force the password

@rob4001 That I didn't know! Though I'm yelling you, it's shitty code ;)

They could've gone for a little less CPU intensive approach. Something like a simple sleep(); :-)

@gerritman123 depends on the use case but in general it is best to actually perform the action you are trying it emulate (speed wise) as a sleep could be as easily detectable as doing nothing... Thread sleep overhead and all