Timing Attacks

[Azareal]

https://thisdata.com/blog/timing-attacks-against-string-comparison/
This is a fairly important attack class which is usually overshadowed by solved problems like SQL Injections and XSS.

With a thousand requests over an hour, an adversary can deduce a string purely on how long string comparison takes. This is one reason that it's critically important to use constant time compares in cryptography, session tokens, password hash checks, reset tokens, etc. otherwise, an attacker can deduce them string character by character.

For Go, the constant time compare function would be subtle.ConstantTimeCompare()

For PHP, it would probably be hash_equals()

I'm not sure about other languages, but they're bound to have their own facilities.
If you don't see hash_equals in use in a PHP software, then it's likely vulnerable.

 

[TopSilver]

Yes passwords need to be hashed. Luckily forum softwares like Xenforo take care of this in the way their designed. Not that there isn't flaws in any type of software but usually it's taken care of. Tools like mod security and lfd firewalls tend to also be effective in preventing the issue from becoming a problem. That's why I chose cPanel as my control panel. I can't stand the free panels, I've tried them before but they just don't cut it. Not good enough to do any good. You need the best.

 

[Azareal]

Yes passwords need to be hashed. Luckily forum softwares like Xenforo take care of this in the way their designed. Not that there isn't flaws in any type of software but usually it's taken care of. Tools like mod security and lfd firewalls tend to also be effective in preventing the issue from becoming a problem. That's why I chose cPanel as my control panel. I can't stand the free panels, I've tried them before but they just don't cut it. Not good enough to do any good. You need the best.

Not quite the point of the topic, but that is fairly important information as-well.
I can't really speak for XenForo, as I haven't really seen it's source-code, but hashing is bog standard, although I'm not sure about hash_equals.

I've pointed absences of time attacking mitigations out to a couple of forum projects and the developers are usually kind enough to add it in or if I send them a patch, to merge it into the source-code. It's always nice to see how developers are always open to improvements.

Web Application Firewalls, the sort of things that you mentioned, can be useful, although it's also fairly important for application developers not to rely too heavily on them. One really good one is Cloudflare as it filters out huge numbers of bad actors like spambots, vulnerability scanners, etc. although they can sometimes slip through.

And I usually go for things like SSH over setting up control panels for a number of reasons then again, it is a VPS.