On Mon, May 18, 2015 at 2:29 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Mon, 2015-05-18 at 14:16 -0700, Kevin Cernekee wrote: > >> > Yes, and that's what you'll see in the message field. Maybe I could hash >> > that thing, and give a form 'name' that depends on that, but that would >> > be harder to interpret when the reply is sent. >> OpenConnect on Android already computes a hash that includes each form >> label, so it can remember different passwords for account password vs. >> OTP. It won't send the user's "Password:" password in response to a >> "One-time password (OATH) for `username':" prompt. > > Is that for the input type's label or the message field in config-auth > section? Label only. AFAICT it is using the message field for display purposes only, not as part of the hash.
