Hi,
On Thursday, November 8, 2018 at 8:12:51 AM UTC+1, Alex Toussaint wrote:
>
> The attacker can have access to the password hash but no longer to the
> last login. if that same attacker is exploiting a vulnerability that gets
> patched just after (ex. Heartbleed) or has view on past data (ex.
The attacker can have access to the password hash but no longer to the last
login. if that same attacker is exploiting a vulnerability that gets
patched just after (ex. Heartbleed) or has view on past data (ex. backups)
But if you can anyway craft a valid session cookie with the secret key
(Wh
SECRET_KEY is the closest thing Django has to a “root password”. That’s why
we emphasize keeping it secret — someone who knows your SECRET_KEY can
effectively do anything to your site anyway. For example, they could
produce valid session cookies for any user, and then just hop in the admin
interfac
Would you consider the *secret* key to not be unpredictable?
On Wed, 7 Nov 2018, 21:22 Alex Toussaint
> Hello,
>
> I'd like to discuss about Django's password reset token functionality.
>
> I've been able, with a simple Python script, from having read-only access
> to my Django webserver to a ful
Hi there,
On Wednesday, November 7, 2018 at 10:22:06 PM UTC+1, Alex Toussaint wrote:
>
> I've been able, with a simple Python script, from having read-only access
> to my Django webserver to a full read-write by crafting a reset token.
>
To be honest that script is weird at best; if you have ac
Hello,
I'd like to discuss about Django's password reset token functionality.
I've been able, with a simple Python script, from having read-only access
to my Django webserver to a full read-write by crafting a reset token.
Isn't it one of the main goals of hashing passwords ? Protecting from
