Skip to content

2FA scratch token includes ambiguous characters #6267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 of 7 tasks
abackstrom opened this issue Mar 7, 2019 · 1 comment · Fixed by #18384
Closed
2 of 7 tasks

2FA scratch token includes ambiguous characters #6267

abackstrom opened this issue Mar 7, 2019 · 1 comment · Fixed by #18384
Labels
topic/ui Change the appearance of the Gitea UI type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@abackstrom
Copy link

abackstrom commented Mar 7, 2019
edited
Loading

  • Gitea version (or commit ref): 1.7.3
  • Git version: n/a
  • Operating system: Ubuntu 16.04
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist: n/a

Description

It's possible for the 2FA scratch token to use ambiguous sans-serif characters in the message box, e.g. a lowercase L and an uppercase i. This isn't a problem when copy/pasting, but can present a problem for users who back up scratch tokens using a paper method.

A monospace or other serif font might be a better choice for the token.

Screenshots

Screenshot showing an uppercase i and a lowercase L on Firefox 66.0b13 in Windows 10:

gitea
@techknowlogick techknowlogick added the topic/ui Change the appearance of the Gitea UI label Mar 7, 2019
@SagePtr
Copy link
Contributor

SagePtr commented May 2, 2019

Probably they should be formed from Base32 alphabet (but should be slight longer to retain same security as old one)

@lunny lunny added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label May 6, 2019
@wxiaoguang wxiaoguang mentioned this issue Jan 24, 2022
Merged
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/ui Change the appearance of the Gitea UI type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use base32 for 2FA scratch token wxiaoguang/gitea
4 participants
@abackstrom @lunny @techknowlogick @SagePtr