Security¶

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

Login saves a 32bit hash of the password; the password is not saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduce in the reply to the login form: that gives a more reasonable 13 years to brute force the password. In practise I would expect the attacker to use a dictionary attack with, say, 10 million entries which would still take 20 days to do.

Once the password is accepted a session id is created. This is 36 bit to give 6 base64 characters but without an extra delay. If an attempt can be made every ms then this will still take over a year to brute force.