You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the password for basic auth is stored in clear text in the redis datastore. Users might use the same password for other websites. Thus a compromised redis store would mean that all passwords of users are known to an attacker which might lead to hacked email accounts, etc. Preserving backward compatibility with existing data in the DB is not hard, just add a field "pwencoding" that stores the hash algorithm used and defaults no 'none' if it's not present.
Tyk analytics already uses password hashing but I don't know which one. Using PBKDF would probably be a good idea.
The text was updated successfully, but these errors were encountered:
camann9
changed the title
Use encraption for basic auth password in database
Use encryption for basic auth password in database
Jan 23, 2015
Currently the password for basic auth is stored in clear text in the redis datastore. Users might use the same password for other websites. Thus a compromised redis store would mean that all passwords of users are known to an attacker which might lead to hacked email accounts, etc. Preserving backward compatibility with existing data in the DB is not hard, just add a field "pwencoding" that stores the hash algorithm used and defaults no 'none' if it's not present.
Tyk analytics already uses password hashing but I don't know which one. Using PBKDF would probably be a good idea.
The text was updated successfully, but these errors were encountered: