0

I'm running a local web server on my Raspberry Pi and want to have a login screen. My plan is to hash the password and store the result in a text file ( This is where I'm storing settings for the result of the application ).

Is this the best way to go about it? I'm aware that if an attacker is able to find the hash then they can just make a request to the local server and get authorised that way so is there any point to the password at all?

The Pi will be turned into a Wireless Access Point for which a user would access the local server

UnknownPerson
  • 3
  • 2

1 Answers1

2

Depending on the application you are using, you could enable libpam access and using the password stored on /etc/shadow for authorization, for example.

If this isn't possible or is too complex, you could salt and hash the password using Bcrypt, and saving both the salt and hash on the text file. Even if an attacker finds the file, he will not be able to login unless he can alter the file and add his own password to it.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • If using salt and hash, would in theory a hacker not just be able to change the value stored in the file for the salt and hash for their own password? – UnknownPerson May 13 '21 at 14:44
  • 1
    If everybody will be able to edit this text file and add their own password yes, but if only you can add/edit this text file you are pretty safe, there are different scenarios where attacker can pwn the system and get administrative access and modify the file. – mrSotirow May 13 '21 at 15:05
  • 1
    If the attacker have enough privileges to write to the password file, he does not need the password file. He can edit your script directly and add a backdoor to always grant him all power he needs. – ThoriumBR May 13 '21 at 16:35