SeraphJACK
commented
5 years ago Are you a bitcoin miner or something?
Closed disconsented closed 5 years ago
SeraphJACK
commented
5 years ago Are you a bitcoin miner or something?
SeraphJACK
commented
5 years ago Alright that's a joke
I'm considering.
SeraphJACK
commented
5 years ago I know little about cryptography so maybe I'm wrong.
But since the encryption is open to public, the only way to be more secure is moving to some asymmetric encryption methods like RSA, instead of these symmetric ones.
SeraphJACK
commented
5 years ago And by default users are using random generated UUID as password, maybe the security is not that important.
Also, you can use your own method to encrypt it and copy it into configuration.
disconsented
commented
5 years ago Bcrypt/Argon2/SHA256 are examples of hashing not encryption, the point is that you can't reverse them.
SeraphJACK
commented
5 years ago We don't have salt in this case.
disconsented
commented
5 years ago Not a real issue with either, the salt is randomly generated per password and storage in the same r ecord
SeraphJACK
commented
5 years ago So you need to copy the file instead of remember the password.
Then why not just use generated one?
disconsented
commented
5 years ago Users just need to remember the password, any library worth its salt (ha) will have a comparison function to handle that for you.
SeraphJACK
commented
5 years ago @Yesterday17
SeraphJACK
commented
5 years ago Check #4
SeraphJACK
commented
5 years ago However, since the check must be done at the server-side, there's still a possibility that someone can get the SHA256sum.
SHA256 is pretty easy to brute force, GPU attacks are especially effective. I recommend moving passwords over to Bcrypt or Argon2