27Eki
argon2id: Do I have to protect against timing attacks on login?
From other password hashing algorithms, I know that when an user tries to log in, and the account does not exist in the first place, it's best practice to still hash the provided password, as to not leak information about whether the username is valid or not. Some libraries even provided methods explicitly for that purpose.
However, when looking into Argon2id, none of the code examples so far implemented this behavior. For example loco-rs' SaaS starter template just returns when the account cannot be found.
Is this an oversight in the examples, or is this simply not required with Argon2id?
