search

nirizr / rematch

REmatch, a complete binary diffing framework that is free and strives to be open source and community driven.
GNU General Public License v3.0
154 stars 22 forks source link

Remove plaintext passwords into hashes #6

Closed shiftre closed 7 years ago

shiftre commented 8 years ago

config.json now saves passwords as plaintext ,(we also inform our users that we do it), we should move into hashes.

Need to see how django handles that.

nirizr commented 8 years ago

Passwords are not automatically saved now, a user can decide not to remember the password and still remain logged in using his token. This does not (and there's no easy way to) fully protect the password, and anyone stealing it might just as well steal the token. This does hide the password itself. Is that sufficient? If so - it's already implemented and we can resolve this.

The next step could be done by exposing login-by-token directly to the user. A user will generate a token using the web interface and then will be allowed to directly paste the token instead of a username/password pair.

shiftre commented 8 years ago

Token is ok'ish, but should be limited to several days / weeks ( value could be set by the user on the server ? ) .

We're not here to fully protect our users from any password stealing mechanism, (else we should've used 2fa and twillo upon every login, but that's just bloated and absurd), hashes are fine, Token is also ok'ish. Maybe adding the limitation of per IP for several days / week (set by the user on the server).

The password field should'nt be present in plaintext once the Token is set, but once the session expires there should be a way to auto-login again, thus the hash. Maybe it's a bit too much.

What do you think ?

nirizr commented 8 years ago

expiring tokens are possible. Do you think an IP limit is ok? nowadays users login from multiple IP sources.

nirizr commented 7 years ago

Can this be closed? we now allow saving only tokens and not username/password. This can still be replayed but will not expose the user name or password in any way.

shiftre commented 7 years ago

Why ? config.json has a plaintext password.

nirizr commented 7 years ago

Just untick "save my password"

On Sun, Dec 4, 2016, 18:40 Shift notifications@github.com wrote:

Why ? config.json has a plaintext password.

— You are receiving this because you were assigned.

Reply to this email directly, view it on GitHub https://github.com/nirizr/rematch/issues/6#issuecomment-264714318, or mute the thread https://github.com/notifications/unsubscribe-auth/ADdqVxOE8AGVP7p2QZhxPAJ-BrFItih1ks5rEuz5gaJpZM4Jjx4B .

shiftre commented 7 years ago

Ok.