Strings that have more characters in common take longer to compare. This can result in a timing attack. However, in practice strings are often not compared one byte at a time, and time differences are very small. Therefore, timing attacks are not necessarily possible, even when using strcmp or == to compare strings. Introduction When an application compares two strings, this can take longer if the strings are more similar. The theory is that the strings are compared character by character. If th...