Closed adombeck closed 3 weeks ago
We currently don't use a key derivation function but encrypt the tokens directly with the (salted) user password.
That's incorrect, we actually do use scrypt
to derive a key from the user password:
That's a valid key derivation function, so this issue is obsolete.
Passwords set by the user should be protected against brute-force attacks by using a computationally expensive key derivation function. We currently don't use a key derivation function but encrypt the tokens directly with the (salted) user password.
UDENG-4058