Closed spiral6 closed 5 years ago
Duplicate of #277
Also note that the CKP feature was dangerous and insecure, and that vulnerability is the only reason tusk exists.
More info:
https://subdavis.com/blog/jekyll/update/2017/01/02/ckp-security-flaw.html
I don't agree with your stance, but as the developer, you get the final decision. I requested the feature for convenience, not security. You could solve this issue of storing the master password on disc by using a TOTP/2FA/physical security key such as Yubikey option with a rotating secret key, you would just have to register your browser as a local app for your authenticator of choice.
How would that work?
Are you suggesting that the master password be encrypted on disk and unlocked with a 2FA code or static string from your yubikey?
This is a different feature and it's logged over at #29
However, the result would be just as dangerous as putting the raw key on disk: enabling a side channel attack where the effort to break your database requires significantly less CPU time than a brute-force.
TOTP codes have less than 20 bits of entropy -- they don't make good cryptographic keys on their own.
Feature Request
A feature you'd like to see
CKP used to have the option to remember the master password indefinitely, even when the browser was closed. It was a convenient feature.