After reading this excellent answer, I learned about the existence of side-channel attacks.
From the code example provided, it is possible to determine the correct password by timing the code when given various inputs.
for (i = 0; i < n; i++) {
if (password[i] != input[i]) {
return EFAIL;
}
}
What can I do to ensure that my code is not vulnerable to such timing attacks? I have purposely left this open-ended to allow answers to provide examples and best practices for a variety of common software configurations.