6 digits passcode can be brute forced #213
Milestone
Comments
|
I agree passcodes can be brute-forced. The backend passcode handler does invalidate (and erase) passcodes after 3 incorrect guesses, but I don't think rate limiting is a bad idea to prevent malicious users spamming the API until they get a right passcode ID and token combination. |
|
We'll address this with #24 |
|
The Passcode init endpoint can now be protected with some basic fixed-window rate limiting which combines user-id and IP. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! Great work so far. I saw that you use a 6 digit passcode which has just 1 million possibilities. https://github.com/teamhanko/hanko/blob/main/backend/crypto/passcode.go
Without a rate limit this can be brute forced by trying out all combinations.
I saw that rate limits have to be added by the user, however most IP based rate limits can be bypassed using proxy services. Using only a rate limit is only one layer of defense.
A more secure solution would be to use letters as well so the code is not so easily guessable. That way there is some “defense in depth”.
The text was updated successfully, but these errors were encountered: