IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-16 18:25:00 -06:00
Code Issues Packages Projects Releases Wiki Activity

Update explanation for new PW hash check.

Browse Source
This commit is contained in:
James Cole 2018-03-09 04:48:17 +01:00
parent 19f7027718
commit eabfe0769b
No known key found for this signature in database
GPG Key ID: C16961E655E74B5E
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
resources/lang/en_US/firefly.php
View File

@ -500,10 +500,10 @@ return [
'what_is_pw_security' => 'What is "verify password security"?',
'secure_pw_title' => 'How to choose a secure password',
'secure_pw_history' => 'In August 2017 well known security researcher Troy Hunt released a list of 306 million stolen passwords. These passwords were stolen during breakins at companies like LinkedIn, Adobe and NeoPets (and many more).',
'secure_pw_check_box' => 'By checking the box, Firefly III will send the SHA1 hash of your password to <a href="https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/">the website of Troy Hunt</a> to see if it is on the list. This will stop you from using unsafe passwords as is recommended in the latest <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special Publication</a> on this subject.',
'secure_pw_check_box' => 'By checking the box, Firefly III will send the first five characters of the SHA1 hash of your password to <a href="https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/">the website of Troy Hunt</a> to see if it is on the list. This will stop you from using unsafe passwords as is recommended in the latest <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special Publication</a> on this subject.',
'secure_pw_sha1' => 'But I thought SHA1 was broken?',
'secure_pw_hash_speed' => 'Yes, but not in this context. As you can read on <a href="https://shattered.io/">the website detailing how they broke SHA1</a>, it is now slightly easier to find a "collision": another string that results in the same SHA1-hash. It now only takes 10,000 years using a single-GPU machine.',
'secure_pw_hash_security' => 'This collision would not be equal to your password, nor would it be useful on (a site like) Firefly III. This application does not use SHA1 for password verification. So it is safe to check this box. Your password is hashed and sent over HTTPS.',
'secure_pw_hash_security' => 'This collision would not be equal to your password, nor would it be useful on (a site like) Firefly III. This application does not use SHA1 for password verification. So it is safe to check this box. Your password is hashed and only the first five characters of this hash are sent over HTTPS.',
'secure_pw_should' => 'Should I check the box?',
'secure_pw_long_password' => 'If you just generated a long, single-use password for Firefly III using some kind of password generator: <strong>no</strong>.',
'secure_pw_short' => 'If you just entered the password you always use: <em>Please yes</em>.',