Use salt + md5 token for authentication #1
Comments
|
Actually I'm not 100% sure whether this makes sense for multiple reasons. The current authentication of Subsonic (and thus Airsonic) is deeply flawed; you need to save your credentials in clear text anyways. MD5 is broken. Client-side web crypto is flawed. The only thing really annoying is that you have your user password turn up in server side logs, but that's technically not so different to an md5 hash that you could force a collision for. In my eyes that doesn't have such a high priority right now. In the end what an attackers gains access to is some music. You should probably teach your users to not re-use their passwords though. |
|
There's a good summary of why salting and hashing is a bad idea in this comment: airsonic/airsonic#69 (comment) |
No description provided.
The text was updated successfully, but these errors were encountered: