meld-cp
commented
8 months ago Hi @xmarkclx,
This may work for the in-place encryption feature, but would make losing data highly likely for the whole-note feature.
Anyway, I'm not convinced there is any value in adding this really. If someone were to have access to your physical device and all your notes, and then modified the plugin or wrote their own script to create a brute force loop over them, it would be trivial to check if the decryption worked or not.
So generating a bunch of random characters on failed decryption won't really help in my view.
Here's another scenario, you have a recovery key you want to keep safe, decrypted it looks like "acRQ7S fcp5pJ...", you encrypt it in a note. Months or years later you try to decrypt it, the plugin returns "e9KN9 qz0elqn...". Now you can't be certain it's the correct key, or was the decryption password you used incorrect.
Is this immune to brute force attacks? Since the file is local, it could be mass brute forced I think?
Especially since it gives feedback "Decrpytion failed" instead of just decrypting wrong string If it decrypts wrong.
I think giving a wrong string will be better if it is given a wrong password, this way it will be hard to brute force especially on passwords that have no pattern.