# Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

And they send a request with a username `johndoe` and a password `love123`.

这类似于：

```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # Return some error
    ...
```

但使用 `secrets.compare_digest()`，可以防御**时差攻击**，更加安全。

### 时差攻击 { #timing-attacks }

什么是**时差攻击**？

假设攻击者试图猜出用户名与密码。

他们发送用户名为 `johndoe`，密码为 `love123` 的请求。

然后，Python 代码执行如下操作：

```Python
if "johndoe" == "stanleyjobson" and "love123" == "swordfish":
    ...
```

這大致等同於：

```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # 回傳錯誤
    ...
```

但藉由使用 `secrets.compare_digest()`，可以防禦一種稱為「計時攻擊」的攻擊。

### 計時攻擊 { #timing-attacks }

什麼是「計時攻擊」呢？

想像有攻擊者在嘗試猜測使用者名稱與密碼。

他們送出一個帶有使用者名稱 `johndoe` 與密碼 `love123` 的請求。

接著，你的應用程式中的 Python 程式碼等同於：

```Python
if "johndoe" == "stanleyjobson" and "love123" == "swordfish":
    ...

            }
        }, CrawlingInfoService.class.getCanonicalName());

        crawlingInfoHelper.updateParams(sessionId, "Test Crawl", 5);

        // Verify documentExpires is set (don't check exact timing due to test environment timing issues)
        assertTrue("documentExpires should be set", crawlingInfoHelper.documentExpires > 0);
    }

    @Test
    public void test_updateParams_defaultName() {

```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # 何らかのエラーを返す
    ...
```

しかし `secrets.compare_digest()` を使うことで、「タイミング攻撃」と呼ばれる種類の攻撃に対して安全になります。

### タイミング攻撃 { #timing-attacks }

「タイミング攻撃」とは何でしょうか？

攻撃者がユーザー名とパスワードを推測しようとしていると想像してください。

そして、ユーザー名 `johndoe`、パスワード `love123` を使ってリクエストを送ります。

その場合、アプリケーション内の Python コードは次のようなものと等価になります:

```Python

            thread.join();
        }

        // Due to synchronized method, only one thread should reload
        // The count might be 2 (one initial + one reload) or slightly higher due to timing
        assertTrue(loadCount[0] <= 3, "Load count should be small due to synchronization");
    }

    assertThat(startupTimes.get(a)).isAtLeast(150);
    // Service b startup takes at least 353 millis, but starting the timer is delayed by at least
    // 150 milliseconds. so in a perfect world the timing would be 353-150=203ms, but since either
    // of our sleep calls can be arbitrarily delayed we should just assert that there is a time
    // recorded.
    assertThat(startupTimes.get(b)).isNotNull();
  }

      addTests(
          suite,
          method,
          Scenario.UNSATISFIED_AND_INTERRUPTED_BEFORE_WAITING,
          TimeoutsToUse.PAST,
          // prefer responding to interrupt over timing out
          isInterruptible(method) ? Outcome.INTERRUPT : Outcome.FAILURE);
      addTests(
          suite,
          method,
          Scenario.UNSATISFIED_AND_INTERRUPTED_BEFORE_WAITING,

    # Bir hata döndür
    ...
```

Ancak `secrets.compare_digest()` kullanarak, "timing attacks" denilen bir saldırı türüne karşı güvenli olursunuz.

### Timing Attacks { #timing-attacks }

Peki "timing attack" nedir?

Bazı saldırganların kullanıcı adı ve şifreyi tahmin etmeye çalıştığını düşünelim.

    # Devuelve algún error
    ...
```

Pero al usar `secrets.compare_digest()` será seguro contra un tipo de ataques llamados "timing attacks".

### Timing attacks { #timing-attacks }

¿Pero qué es un "timing attack"?

Imaginemos que algunos atacantes están tratando de adivinar el nombre de usuario y la contraseña.