![]() ![]() ![]() How does your system handle logged in users? Presumably once a user logs in your system remembers them until they log out, probably with cookies/sessions. This is another along the same vein as other answers, so let me first reiterate the main point: this can be an effective way to invalidate users as long as there are no other ways in. Ideally, remove this access method, if this is the case. you have a legacy method which allows supplying the full hash for some reason) - in that case, if you aren't checking the active status carefully, it might allow access by supplying a dash. The other risks could be if there are any methods for access which allow bypassing the hash method for comparison (e.g. If they are paying attention, they should probably remove the records which are marked as inactive, but still. In terms of downsides, if the database is taken, it slightly decreases the security of other accounts - the attacker has fewer records to brute force. Unless you're using a very weird hash function, there won't be any values which map to -, and it prevents brute force attacks against the missing values if the database is stolen too, which is a positive (they were unlikely, given the use of bcrypt, but this applies even if the implementation is using a terrible method for storing passwords - pretty much anything other than plain text). In terms of disallowing legitimate login attempts, it's fine.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |