From 6f719c71cc57e1a619704e21c68bdee17c7f24de Mon Sep 17 00:00:00 2001 From: Andris Reinman Date: Mon, 7 Aug 2017 17:05:25 +0300 Subject: [PATCH] Updated Security implementation (markdown) --- Security-implementation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security-implementation.md b/Security-implementation.md index 842d6bd..55b7f74 100644 --- a/Security-implementation.md +++ b/Security-implementation.md @@ -10,7 +10,7 @@ If 2FA is enabled then account password can only be used for the "master" scope ## Application Specific Passwords -Application Specific Passwords are 16 byte strings, consisting of lowercase random latin characters. ASPs are stored as separate *asp* entries in the users database. +Application Specific Passwords are 16 byte strings, consisting of lowercase random latin characters. ASPs can include additional whitespace symbols as all whitespace symbols are removed from the password before doing any validations with it (this behavior does not extend to the account password where whitespace symbols matter). ASPs are stored as separate *asp* entries in the users database. ASPs are hashed with bcrypt, using 12 rounds. Additionally the 4 first symbols of the ASP are hashed with md5. This is needed to detect potential ASPs when authenticating (user password is compared against only these ASPs that have a matching md5 hash of the 4 first characters).