Different hash on every mkpasswd

[abshkd]

When I restart pyrt and try to login with my usual password I could not. I then tried to mkpasswd but I get a different hash each time for the same password. Sometimes its the same as expected. at that moment i can login. until next restart.

[mountainpenguin]

Hi,

mkpasswd should generate a different hash every time for the same password, since it uses a random salt for the password on every iteration.

In an attempt to provide more password security against sniffing, your browser also uses random salting, and the addition of a time-based salt. I've now realised that these measures are probably not providing much additional security in the long run.

I'll be removing the time-based hashing shortly

[abshkd]

well for now i edited the code out and disabled the password check all together since i dont have a public facing install. to be honest I did not quite understand the whole password check code. it is interesting . with the time issue fixed it will useful enough for me to use on my own code ;)

[mountainpenguin]

It was trying to think up a way to confound sniffing, by hashing the password client side and having that hash change every two minutes, but this actually provides the same security as just hashing it once, since a sniffer just needs one hash and knowledge of the original salt to create a rainbow table. The changing part doesn't really affect them.

Overall, it's all a bit too paranoid, and I'll be removing it as soon as I've eaten my lunch :)

[abshkd]

all that talk of salt and lunch... i am hungry too. thanks.

[mountainpenguin]

Can you try out these changes on the otpremoval branch and let me know if they fix your issues?

You might need to aggressively uncache the login javascript (if aggressive uncaching is a thing)

[mountainpenguin]

I'm probably just going to keep time-based OTP authentication, so I'll probably delete the otpremoval branch