allow instance-wide custom salt for login

2017-05-05 09:10:31 +02:00
parent d923fd1b76
commit 3e118c6a38
2 changed files with 20 additions and 2 deletions
--- a/customize.dist/application_config.js
+++ b/customize.dist/application_config.js
@@ -40,5 +40,17 @@ define(function() {
    //config.enablePinLimit = true;
    //config.pinLimit = 1000;

+    /*  user passwords are hashed with scrypt, and salted with their username.
+        this value will be appended to the username, causing the resulting hash
+        to differ from other CryptPad instances if customized. This makes it
+        such that anyone who wants to bruteforce common credentials must do so
+        again on each CryptPad instance that they wish to attack.
+
+        WARNING: this should only be set when your CryptPad instance is first
+        created. Changing it at a later time will break logins for all existing
+        users.
+    */
+    config.loginSalt = '';
+
    return config;
 });