Using passwords with many special character points to a login loop #166
Comments
|
Piko0(Ky8(Locy1=Cygih7§Rakar7 example |
mtlynch
added a commit
that referenced
this issue
Apr 2, 2022
We were previously storing the password in plaintext as a cookie. This was insecure, but fairly low risk because in order to compromise the key, an attacker would need to compromise the user's browser (beyond XSS, as it's an HttpOnly key). Storing the secret in plaintext additionally had the problem of not properly encoding characters that are not allowed in HTTP cookies. This change hashes passwords with PBKDF2 and stores the result as base64-encoded bytes. Fixes #166
mtlynch
added a commit
that referenced
this issue
Apr 2, 2022
* Use PBKDF2 to hash shared secret We were previously storing the password in plaintext as a cookie. This was insecure, but fairly low risk because in order to compromise the key, an attacker would need to compromise the user's browser (beyond XSS, as it's an HttpOnly key). Storing the secret in plaintext additionally had the problem of not properly encoding characters that are not allowed in HTTP cookies. This change hashes passwords with PBKDF2 and stores the result as base64-encoded bytes. Fixes #166 * Fix error message
|
Thanks for reporting this, @maschhoff! I'm going to cut a new release today that will fix this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you use many special character and generated passwords its ending up in a login loop
The text was updated successfully, but these errors were encountered: