Password are stored unobfuscated #45
Comments
|
This was not supposed to stay that way, but ... too many things to do for so short time ... Still... yes it's a problem to fix quite quickly, but the thing is : we already have some users (not that much, we could re-enter the infos to recreate them), and more importantly if someone forgets its password there is currently not process in place to retrieve someone's password (for instance by sending an email with a protected route) ... I put some ideas to fix that with the existing users here : #46 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unless I'm mistaken, I noticed that user passwords are stored unobfuscated in the database.
It looks like a quite annoying issue.
Passwords should be salted and hashed using a bruteforce resistant hashing function like pbkdf2.
The text was updated successfully, but these errors were encountered: