If you want to subscribe to this forum, use your Facebook account, or send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.
Is need to change default encryption hash & server secret values ?
Dear Forum, I want to know, what if we not change the default encryption_hash & server_secret values in multiotp.ini file for client/server architecture, we are running huge setup & its difficult to maintain both values, as we notice normal user on windows/linux system may able to read C:\Program Files (x86)\multiOTP\config\multiotp.ini file and see both values easily. However we have protected multiotp server to allow only certain ips of servers and no else directly access the server. But the issue is that clients systems running different applications and some web applications vulerable to read data from file. I have wireshark dump and see encrypted values changes automatically like (server challenge & server password). So i have a question if some knows the secret & encryption hash, either they able to hack the users tokens ? or they able to query the user information and get their secret seed/token, and now using them they able to access/login to client machine ? as per dump i see values changes so there is a confusion. If you know additional details i will provide. Thanks
This discussion has been closed.