Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unencrypted authentication information #12

Open
daniel-lerch opened this issue May 1, 2020 · 0 comments
Open

Unencrypted authentication information #12

daniel-lerch opened this issue May 1, 2020 · 0 comments
Assignees
@daniel-lerch
Labels
security Improvements or bugs that affect security

Comments

@daniel-lerch
Copy link
Member

One step to improve application security is to store only hash values of authentication information in the server database.

The server will only store SHA-256 hashes in the future (skynet-im/skynet-server#34) but this is useless as long as P15PasswordUpdate contains the KeyHash which is sufficient to create new sessions.

The password update procedure has to be changed in such a way that KeyHash does not have to be stored in the server database anymore.
@daniel-lerch daniel-lerch added the security Improvements or bugs that affect security label May 1, 2020
@daniel-lerch daniel-lerch self-assigned this May 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daniel-lerch daniel-lerch

Labels
security Improvements or bugs that affect security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daniel-lerch