xpra icon
Bug tracker and wiki

Changes between Version 39 and Version 40 of Authentication


Ignore:
Timestamp:
04/22/18 17:48:37 (19 months ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Authentication

    v39 v40  
    117117* Enabling {{{auth}}} [/wiki/Logging] may leak some authentication information
    118118* if you are concerned about security, use SSH as transport instead
     119
     120== Salt handling is important ==
     121* [https://blog.mozilla.org/security/2011/05/10/sha-512-w-per-user-salts-is-not-enough/ SHA-512 w/ per User Salts is Not Enough]: ''In the event the hash was disclosed or the database was compromised, the attacker will already have one of the two values (i.e. the salt), used to construct the hash''
     122* [https://news.ycombinator.com/item?id=1998198 about hmac]: ''Those people should know that HMAC is as easy to precompute as naked SHA1 is; you can "rainbow-table" HMAC''
     123* we got it wrong before: r16967
    119124}}}