Open SimonSchneider opened 1 month ago
Even better would be to decrypt the data twice. And avoid returning the encrypted blob to the client as a malicious third party could use the link to get the data blob and start brute forcing passwords.
Therefore we should do something like this:
When the user wants to get the secret
The password should be combined with they generated key to arrive at the final key.
basic:
password can be shared over a seperate channel to the link or even just shared over voice.