-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using passwords with many special character points to a login loop #166
Comments
Piko0(Ky8(Locy1=Cygih7§Rakar7 example |
mtlynch
added a commit
that referenced
this issue
Apr 2, 2022
We were previously storing the password in plaintext as a cookie. This was insecure, but fairly low risk because in order to compromise the key, an attacker would need to compromise the user's browser (beyond XSS, as it's an HttpOnly key). Storing the secret in plaintext additionally had the problem of not properly encoding characters that are not allowed in HTTP cookies. This change hashes passwords with PBKDF2 and stores the result as base64-encoded bytes. Fixes #166
mtlynch
added a commit
that referenced
this issue
Apr 2, 2022
* Use PBKDF2 to hash shared secret We were previously storing the password in plaintext as a cookie. This was insecure, but fairly low risk because in order to compromise the key, an attacker would need to compromise the user's browser (beyond XSS, as it's an HttpOnly key). Storing the secret in plaintext additionally had the problem of not properly encoding characters that are not allowed in HTTP cookies. This change hashes passwords with PBKDF2 and stores the result as base64-encoded bytes. Fixes #166 * Fix error message
Thanks for reporting this, @maschhoff! I'm going to cut a new release today that will fix this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you use many special character and generated passwords its ending up in a login loop
The text was updated successfully, but these errors were encountered: