-
-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure password storage #3
Comments
@rieck-srlabs Thanks for the suggestion. Will look into it. What will happen to the existing users who are already created? Do we need to ask them to create new password? |
Just curious - why not OAuth? To me, creating / managing yet another password is a barrier to entry, but being able to login with my GitHub (just identity, no permissions), for example, would be a really simple thing to do. It would also allow you to offload user/password management to another provider and focus on your core product. |
Disregard my last comment. Just saw issue #4. |
You'll have to migrate them. Asking them to reset their own password would work, but you could also:
|
Issue Description
Webtag uses the following code (called by
getValidPassword
) to store and hash passwords:I guess this is supposed to include a secret / salt (
config.SECRET
) in the hash computation. Node'scrypto.createHash
however does not take a salt. The current code just performs a single vanilla SHA-256 computation:Notice that the output using a "salt" (
supersecret
) and using no salt is identical:Passwords are stored unsalted, hashed just once with SHA-256.
Remediation
Follow proper guidance here and use Argon or at least PBKDF2 with many iterations.
The text was updated successfully, but these errors were encountered: