Hi -
I was using a basic string comparison in the #checkPassword:against: methods and I now understand that that is susceptible to a timing attack on some systems (http://codahale.com/a-lesson-in-timing-attacks/). I'm not sure these types of attack apply to Smalltalk environments or not but its not hard to implement a constant time algorithm.
Instead of failing on the first unmatched character it reports passing/failing after checking all characters in the hashes.
I think the new version is not susceptible to the timing attacks mentioned in the linked article and if you use the package mentioned in the subject you should update to the latest version.
Thanks
Paul
cryptography@lists.squeakfoundation.org