Urgent: Secret for passwords should not be a const

allez-chauffe / marcel

marcel is a configurable plugin based dashboard system

Apache License 2.0

16 stars 10 forks source link

Open nlepage opened 5 years ago

nlepage commented 5 years ago

I think the problem is we're using HMAC which is normally used for message authentication, but not password storage.

We should switch to bcrypt which doesn't require a key.

@EmrysMyrddin

nlepage commented 4 years ago

Problem is changing this would break all passwords on preprod...