search

lightningrodlabs / acorn

Built with Holochain, Acorn is an open-source, peer-to-peer project management application. It is designed and built as a scrum-alternative, Agile Development Pattern for distributed software development teams. Acorn is currently in Alpha testing phase.
https://acorn.software
105 stars 10 forks source link

The possibility of bruitforcing a project invitiation secret and making a project (private) #181

Open TechSupport26 opened 2 years ago

TechSupport26 commented 2 years ago

Is there a possibility of being able to bruit force the project invitation secret? (I assume that the math has been done proving that this would be extremely unlikely.)

This second part is based on the above being possible otherwise I see no point in developing this feature apart from it being some kind of added security layer.

Making a project closed/private so that if someone tries to join it won't work. This can be changed if someone (unlocks/opens) the project. Then there could be a way for people to allow that user to join the project after they get the project invitation secret.

I believe the UI for exporting a project is off-centre if it was intended to be in the middle or the side I don't know. image

Thanks again for the work everyone has been putting into this project.

Connoropolous commented 2 years ago

"Is there a possibility of being able to bruit force the project invitation secret? (I assume that the math has been done proving that this would be extremely unlikely.)"

One could calculate the 'difficulty' of the guessing of the secret phrase, based on there being 5 words and with this background: "A word requires five rolls of the dice and each word generated adds 12.9 bits of entropy to your passphrase". We use this library: https://www.npmjs.com/package/diceware-word

So yeah you've got a very high bar for randomness and the difficulty of guessing.