[Vulnerability] Bad password storing practices #73
Comments
|
Also more complex checking for password strength required, key with length 6 is really weak. And it will be nice to add random key generation function. |
Anyone who have root access can also write SharedPrefs. So, in my opinion, storing hashed automation key is futile.
This is a good idea, I will add random key generation function. 20 bytes of automation key should be enough |
Require length of automation key at least 20 Random automation key generation
I think you could use the Android KeyStore |
|
Yes, I also think using encrypted shared preferences may be a proper solution. |
|
As a user application, it is impossible to compete with root privilege. So, all I have to do is prevent the key from being cracked by other user apps. I think a 20-digit key should be difficult enough to crack. |
I noticed that you are storing automation key in plaintext in shared preferences. It's bad practice for storing passwords. Shared preferences possibly can be read by anyone who have root access. It's a good practice to store hash instead of password, and ideally computation of password hash must be a time consuming process. There are special key derivation functions such as Argon2 created for this purpose. I implemented password hashing in this pull request. I used default parameters for Argon2, may be they must be changed.
#72
The text was updated successfully, but these errors were encountered: