|
|
|
|
|
|
by voidlogic
2651 days ago
|
|
|
All the more reason to make the client side send HMAC(HMAC(username + password) + Unix Epoch rounded to last 5 min block)) over the wire in its POST to the auth endpoint. All the transport encryption and DB encryption/hashing/salting won't protect you from this kind of logging mistake, but the above would. P.S. There are ways to make the above even better by adding a nonce that has to be requested from the server before POST etc. |
|
|