server session not protected against an online dictionary attack

Issue #3 resolved
simon repo owner created an issue

A server could generate a session issuing a challenge B. An attacker could then keep on password guessing with the same A firing repeated M1. To protect against this the thinbus server object should refuse to run either step1 or step2 more than once. That forces an attacker to fetch a new challenge for every password guess at the expense of another round trip to the server.

Comments (1)

  1. Log in to comment