Settings PIN code protection. #2565
Conversation
| @@ -46,6 +33,12 @@ | |||
| fO.value = ''; | |||
| return false; | |||
| } | |||
| function checkNum(o) { | |||
There was a problem hiding this comment.
Why only numbers? While PIN makes it pretty clear that numbers should normally be used, if we allow letters as well we don't need this function and the user can make slightly more secure PINs.
There was a problem hiding this comment.
Agreed that complexity is prefered but since we do not have HTTPS it makes no sense (well, less sense) to make pin ultra complex. 4 digit pin should provide adequate protection until we add HTTPS.
| if (!s2[0]) strcpy_P(s2, PSTR("Redirecting...")); | ||
|
|
||
| if (!doReboot) serveMessage(request, 200, s, s2, (subPage == 1 || subPage == 6) ? 129 : 1); | ||
| if (subPage == 6) doReboot = true; | ||
| serveMessage(request, 200, s, s2, (subPage == 1 || (subPage == 6 && doReboot)) ? 129 : (correctPIN ? 1 : 10)); |
There was a problem hiding this comment.
Putting a longer redirect time here unfortunately won't defeat a script (or browser back button).
We need to lock the set.cpp code from accepting new PINs for a few seconds (same for OTA lock now that reboot on Save is removed)
There was a problem hiding this comment.
The actual brute force protection is in line 448.
|
Any progress on this? |
|
Tested, looks good mostly :) Can merge after 0.13.0 release (how about tomorrow for 0.13.0?) Two minor things I've noted: xml.cpp serves the cleartext pin to GetV(). Should do something similar to WiFi password instead (e.g. replace with asterisks) |
|
Agreed on 0.13. I also agree that returning to main setting page is annoying but couldn't figure out how to get the proper destination. |
|
Is superseded by #2610 |
|
This has been superseded by #2737 |
Protect settings pages with PIN code.