Updated docs
This commit is contained in:
Connor Johnstone
@@ -20,7 +20,9 @@ The Subsonic protocol uses its own authentication system, separate from your Sha
|
||||
2. Find the **Subsonic API** section.
|
||||
3. Enter a password and click **Save**.
|
||||
|
||||
**Security note:** The Subsonic protocol transmits passwords as MD5 hashes (not encrypted). This is a limitation of the protocol itself. Do not reuse a password you use for other services. The Subsonic password is stored in plain text in the database, per the protocol specification.
|
||||
**Important -- please read:** The Subsonic password is stored as **plain text** in the database. This is not a bug or an oversight. The Subsonic protocol requires the server to verify authentication by computing `md5(password + client_salt)`, which means the server must have access to the original password. There is no way to store it securely (like a one-way hash) and still be compatible with the protocol. This is a well-known limitation of the Subsonic standard and is how all Subsonic-compatible servers handle it, including Navidrome.
|
||||
|
||||
Because of this, **do not reuse a password from any other account**. Choose a simple, unique password that you use only for Subsonic access. Your Shanty web login password is stored securely (Argon2id hash) and is completely separate.
|
||||
|
||||
### 2. Configure your client
|
||||
|
||||
|
||||
Reference in New Issue
Block a user