Data cannot be hashed and salted before the user is known

michardy / account-hijacking-prevention

Software that blocks account hijacking attacks.

https://mhardy.dev/account-hijacking-prevention/

MIT License

2 stars 0 forks source link

Data cannot be hashed and salted before the user is known #1

Open michardy opened 7 years ago

michardy commented 7 years ago

Collected session data cannot be collected and hashed before the user is known.
Data can be salted with a constant until user is known. (This is a very bad idea)

Mitigation: API users can mitigate this by not using the user's email for the UID. This means that in the event the API's database is hacked, the data about users cannot be tied to any of the users' accounts.

michardy commented 7 years ago

Possibly try using user agent string or fingerprint as salt.

michardy commented 7 years ago

Add additional site salt to avoid UA string collisions

michardy commented 7 years ago

Partial fix in 1ce38944a537562d70f15dddc8aa731a8cd652a2

michardy commented 7 years ago

After faa603a52826cda295a31340dbbb521cd6b602fd the keystroke dynamics module no longer uses any hashing. This is a problem.