Hi, On Thursday, November 8, 2018 at 8:12:51 AM UTC+1, Alex Toussaint wrote: > > The attacker can have access to the password hash but no longer to the > last login. if that same attacker is exploiting a vulnerability that gets > patched just after (ex. Heartbleed) or has view on past data (ex. backups) >
After patching a vulernability like Heartbleed one needs to rotate all leaked secrets (if in doubt, that means all); this includes the SECRET_KEY which immediately invalidates all tokens and logs out all users. Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/61ac0c4b-aa39-48e5-b008-ad16dc0fcf0b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
