search

sh-dv / hat.sh

Encrypt and Decrypt files securely in your browser.
https://hat.sh
MIT License
2.13k stars 251 forks source link

Permit the ability to encrypt file even if the password is below 12 characters in v2.3.3 #56

Closed git-collab closed 2 years ago

git-collab commented 2 years ago

Currently there is no way to encrypt a file with password below 12 characters. It would be great if encrypt anyway option is availabe with lesser character password. Capture

sh-dv commented 2 years ago

The decision to put a minimum length of characters on the password input was done in v2.2.0 to encourage the use of strong passwords! However, i will consider putting an option in the settings page where this can be disabled!

vertigo220 commented 2 years ago

I definitely think it should be a bit difficult to use a short password, and made very clear that it's a bad idea, but it does seem that by completely restricting it, you are essentially reducing the amount of entropy, since attackers know they don't even need to bother with guesses less than the minimum. So it should by default require a minimum, but the user should be able to check a box and maybe even have to type something like "accept" before it will allow it, but it should definitely allow it. And besides, most people that are going to be using this tool are going to hopefully know better anyways.

covert-encryption commented 2 years ago

I definitely think it should be a bit difficult to use a short password, and made very clear that it's a bad idea, but it does seem that by completely restricting it, you are essentially reducing the amount of entropy, since attackers know they don't even need to bother with guesses less than the minimum. So it should by default require a minimum, but the user should be able to check a box and maybe even have to type something like "accept" before it will allow it, but it should definitely allow it. And besides, most people that are going to be using this tool are going to hopefully know better anyways.

Refusing shorter passwords hardly reduces entropy at all (testing all the shorter ones takes about 1 % of the time it takes to test the 12-character ones). However, because the password hashing is not particularly strong, you really need a fairly long password to keep your data safe. Eight characters is certainly not enough anymore.