hanko icon indicating copy to clipboard operation
hanko copied to clipboard

Published 20 hours ago verified publisher icon teamhanko

6 digits passcode can be brute forced

Open adri opened this issue 2 years ago • 1 comments

Hi! Great work so far. I saw that you use a 6 digit passcode which has just 1 million possibilities. https://github.com/teamhanko/hanko/blob/main/backend/crypto/passcode.go

Without a rate limit this can be brute forced by trying out all combinations. I saw that rate limits have to be added by the user, however most IP based rate limits can be bypassed using proxy services. Using only a rate limit is only one layer of defense.

A more secure solution would be to use letters as well so the code is not so easily guessable. That way there is some “defense in depth”.

adri avatar Sep 06 '22 06:09 adri

I agree passcodes can be brute-forced. The backend passcode handler does invalidate (and erase) passcodes after 3 incorrect guesses, but I don't think rate limiting is a bad idea to prevent malicious users spamming the API until they get a right passcode ID and token combination.

irby avatar Sep 14 '22 02:09 irby

We'll address this with #24

FlxMgdnz avatar Oct 06 '22 17:10 FlxMgdnz

The Passcode init endpoint can now be protected with some basic fixed-window rate limiting which combines user-id and IP.

like-a-bause avatar Jan 25 '23 13:01 like-a-bause