protect against timing attacks

system/config/system.yaml

@@ -71,3 +71,6 @@ debugger:
 images:
   default_image_quality: 85            # Default image quality to use when resampling images (85%)
   debug: false                         # Show an overlay over images indicating the pixel depth of the image when working with retina for example
+
+security:
+  default_hash: $2y$10$kwsyMVwM8/7j0K/6LHT.g.Fs49xOCTp2b8hh/S5.dPJuJcJB6T.UK

system/src/Grav/Common/User/User.php

@@ -55,11 +55,23 @@ class User extends Data
     {
         $save = false;
 
+        // Plain-text is still stored
         if ($this->password) {
-            $save = true;
 
-            $this->hashed_password = Authentication::create($this->password);
-            unset($this->password);
+            if ($password !== $this->password) {
+                // Plain-text passwords do not match, we know we should fail but execute
+                // verify to protect us from timing attacks and return false regardless of
+                // the result
+                Authentication::verify($password, self::getGrav()['config']->get('system.security.default_hash'));
+                return false;
+            }  else {
+                // Plain-text does match, we can update the hash and proceed
+                $save = true;
+
+                $this->hashed_password = Authentication::create($this->password);
+                unset($this->password);
+            }
+
         }
 
         $result = Authentication::verify($password, $this->hashed_password);