You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The missing but crucial feature is "salting" passwords before encryption. The salt does not need to be secret, it only needs to have a defined limited validity time, and to be known to both, the client and the server. So that the login page "nonce" can be used in LoginEncrypted.
P.S.: The reason for the need to salt is that, as of now, encrypted passwords can be used in replay attacks. Similarly to a pass-the-hash attack, but passing the encrypted password.
The missing but crucial feature is "salting" passwords before encryption. The salt does not need to be secret, it only needs to have a defined limited validity time, and to be known to both, the client and the server. So that the login page "nonce" can be used in LoginEncrypted.
P.S.: The reason for the need to salt is that, as of now, encrypted passwords can be used in replay attacks. Similarly to a pass-the-hash attack, but passing the encrypted password.
For the UsersManagerEncrypted plugin, see Joey3000/piwik-UsersManagerEncrypted#2.
The text was updated successfully, but these errors were encountered: