Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: oldheating gps motorhome heating
You are viewing an older revision! See the latest version
Homepage
Security¶
A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.
Login saves a 32bit hash of the password; the password is not saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduce in the reply to the login form: that gives a more reasonable 13 years to brute force the password. In practise I would expect the attacker to use a dictionary attack with, say, 10 million entries which would still take 20 days to do.
Once the password is accepted a session id is created. This is 36 bit to give 6 base64 characters but without an extra delay. If an attempt can be made every ms then this will still take over a year to brute force.