G
gus bjorklund
Guest
> On Jun 6, 2019, at 11:25 AM, frank.meulblok wrote: > > As-is, you can and need to expose the client's secret to confirm it matches the secret known by the authentication service. Which gives a way to hijack the client's secret. Using a method to test the match would allow the C-P to confirm a match without exposing the client's secret, as well as making sure that secret is kept in a hashed/encrypted form.) > > > the clear-text passphrase should not be stored anyplace. instead a (slow) hash of it should be stored. to validate you hash the passed in passphrase and if the hashes match, it is good.
Continue reading...
Continue reading...