Secrects and backup codes saved in plaintext in database

alexandregz / twofactor_gauthenticator

This RoundCube plugin adds the 2-step verification(OTP) to the login proccess

MIT License

216 stars 76 forks source link

Secrects and backup codes saved in plaintext in database #134

Open muppeth opened 3 years ago

muppeth commented 3 years ago

While testing the plugin I noticed both secrets and backup codes are saved in plaintext in the database. Shouldn't those be hashed? Currently sysadmin or anyone with access to the database can easily brutteforce access to the webmail.

aerth commented 3 years ago

I think we need the 2FA OTP Secret, but can probably hash the backup codes!