search

spieglt / Cloaker

Simple, drag-and-drop, password-based file encryption
GNU General Public License v3.0
405 stars 38 forks source link

Decrypt the output file #7

Closed R0FGV closed 4 years ago

R0FGV commented 4 years ago

Can I make suggestions? After entering the decryption password, no matter whether the password is correct or not, a file will be generated instead of prompting that the password is incorrect. Will it be safer to fight against brute force?

spieglt commented 4 years ago

Thanks for the suggestion! The sodiumoxide library that Cloaker uses returns an error when it fails to decrypt a chunk, so I'd have to make the program write junk data, which I don't want to do. Your point about brute forcing is well taken though. I wrote a test for the CLI version which makes a 100KiB file, encrypts it, and then tries to brute force it in a loop (without invoking the program each time, so it's faster than a script running it repeatedly would be). According to that, it would take my computer (Intel i5-6500) about 2.46 million years to brute force a 12-character password using lower- and uppercase letters, numbers, and symbols. I just posted version 3.0 on the Releases page, and 12 is now the minimum password length for both the GUI and CLI versions. Of course, longer passwords are always better, and that test is just one core of one machine, so maybe I should increase the limit even more.

R0FGV commented 4 years ago

Thank you for your reply and look forward to Cloaker becoming better!

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ notifications@github.com

Thanks for the suggestion! The sodiumoxide library that Cloaker uses returns an error when it fails to decrypt a chunk, so I'd have to make the program write junk data, which I don't want to do. Your point about brute forcing is well taken though. I wrote a test for the CLI version which makes a 100KiB file, encrypts it, and then tries to brute force it in a loop (without invoking the program each time, so it's faster than a script running it repeatedly would be). According to that, it would take my computer (Intel i5-6500) about 2.46 million years to brute force a 12-character password using lower- and uppercase letters, numbers, and symbols. I just posted version 3.0 on the Releases page, and 12 is now the minimum password length for both the GUI and CLI versions. Of course, longer passwords are always better, and that test is just one core of one machine, so maybe I should increase the limit even more.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.