Skip to content

Security improvement

Latest
Compare
Choose a tag to compare
@agix agix released this 24 Dec 05:21

After fixing the most urgent vulnerability in the previous release, here is another one

Small breaking change on the change password

This route now request to have the hash of the old password to be allowed to change it.

Server now support a different key for the signing validation.

Indeed using the same key for both signing and encryption is not a best practice, it has been fixed in the lib and is supported by the server secretin/secretin-lib#58

Rescue code is now protected from the server

The rescue codes you could use if you forgot/lost your TOTP device was generated on the server and stored in clear text.

They are now generated by the client and xored with the hash of the password so the server can't retrieve them.

They are also bigger so less easier to bruteforce.