Open EzraBrauner opened 2 years ago
Hello,
Good catch, you are correct in that the user can enter a very simple (or even empty) master password. Seems like we forgot to implement a catch there. Technically not a bug, but more so bad security practice.
I believe this can be considered a 'minor' bug, if anything.
Regards, Pranav
If you are a user, you will not create a simple password for the sake of protecting your personal information. But it is not good to have an empty password as password, so I will count it as a minor bug.
I see that the master password can be of any length, including the empty string. Allowing a naive user to enter very short passwords can make them easy to guess. For example, creating a one-character master password will lead the created MasterPassword.txt to contain a small hash value seemingly equal to the character's unicode/ASCII value. An attacker who sees this might infer that the password was short (because the hash value is based on the unicode/ASCII value modulo a larger number, and if the password were longer the hash number likely would not be a valid ASCII value) and thus can guess the master password fairly easily and be likely to be correct.