Use of password hash with insufficient computational effort

okawaffles / OkayuCDN

A File Upload Server based around Nekomata Okayu.

https://okayu.okawaffles.com

Other

2 stars 0 forks source link

Use of password hash with insufficient computational effort #24

Closed okawaffles closed 5 months ago

okawaffles commented 5 months ago

Tracking issue for:

[ ] https://github.com/okawaffles/OkayuCDN/security/code-scanning/100

will change the method of password hashing method later.

plan of attack for older accounts:

user has signed up with sha256 hash
on next login, if userdata uses sha256 hash, re-hash password and save new userdata
save config with marker that can differentiate sha256 from argon2d or whatever

okawaffles commented 5 months ago

Passwords are re-hashed with argon2 on login if the user created their account with a sha256 hash. Signup POST needs changing but everything else should be good.