It is obvious that if we compare two strings it is vulnerable to the time attack.
I'm now wondering whether the time leakage is still a vulnerability if the comparison is done on the hash of those two strings?
Isn't it vulnerable to any other kind of attacks? (Suppose using a hash algorithm which is safe against the collision attack).
Or simply what will happen if someone could find out the hash of the original string? Can it be abused?
Here is just an example of the idea:
user_pass = get_password_from_input();
if (memcmp(sha256(user_pass), sha256(HARD_CODED_PASS), SHA256_SIZE))
printf("Welcome!");
else
printf("Wrong Password!");