Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Do not allow to reuse TOTP passcode #3878
@@ Coverage Diff @@ ## master #3878 +/- ## ========================================== - Coverage 20.18% 20.16% -0.02% ========================================== Files 145 145 Lines 29151 29156 +5 ========================================== - Hits 5883 5880 -3 - Misses 22374 22381 +7 - Partials 894 895 +1
@daviian I think @lafriks means that it is easy to bruteforce a hash of 6 characters, so if an attacker has access to the DB a hash wouldn't really stop them from knowing what the token was. This is fine because tokens change every 30 seconds, and this is a protection just in case someone MITM a user to intercept the token so it can't be re-used.
May 2, 2018
@cezar97 I can't speak on behalf of the other maintainers, but I've asked for a thanks to be added to the blog post for the release notes. As only owners see the security reports I wasn't able to add the appropriate thanks to my PR for the release blog post.