bjarneo
commented
4 months ago Fair points, @Bloodiko. It should be fixed.
One thing you forgot to mention here which limits the brute force of the password; rate limiting.
Open Bloodiko opened 4 months ago
bjarneo
commented
4 months ago Fair points, @Bloodiko. It should be fixed.
One thing you forgot to mention here which limits the brute force of the password; rate limiting.
Description
If you choose to encrypt your secret with a password, a potential attacker just needs to look at the link to get the information how long the password is - potentially making brute force attacks easier, as you have a fixed length knowledge about the password.
This is not a serious issue per se, but something that should be addressed eventually. (Yes, with the limited views of a secret this issue does not exist, as a brute force is impossible if the secret is "accessed" once, even with the wrong password, so you technically have limited tries for your brute force attack, but for those secrets with unlimited views, that does potentially create an issue)
Screenshots
Additional information
you may fix it, by creating the full length encryption key with 32 chars and remove the password length characters from the encryption key while encrypting and decrypting respectively.
There are possibly other ways to fix this, like instead of using an random encryption key, hashing the password with sha256, providing a perfectly safe encryption key (which is exactly 128 bits long, no matter the password length, also creating the possibility of unrestricted password lengths, instead of 32 char passwords maximum as it is currently) , which can be replicated by the user on the decryption end easily.