yaseenkadir
commented
5 years ago Implemented in #57.
Using bcrypt as the passphrase stretching algorithm. Based it off Protonmail's encryption. See https://github.com/ProtonMail/WebClient/blob/public/src/app/authentication/services/passwords.js#L10-L15 and https://github.com/ProtonMail/WebClient/blob/dd472c7eeaa94b8b16895371012234b25771d812/src/app/authentication/services/passwords.js#L38.
They're using 10 rounds of bcrypt. We can consider another algorithm later. OWASP recommends argon2, scrypt, pbkdf2, and bcrypt in that order. I did a little research and decided to choose bcrypt over the others for the following reasons
- ProtonMail uses bcrypt
- Argon2 js implementations don't seem that mature yet
- I don't know anything about cryptography
- Really, I don't know anything about cryptography
However, I should note that 1password[1], Apple[2], Bitwarden[3], and Lastpass[4] use PBKDF2. PBKDF2 is also available in webcrypto, meaning that we could possibly run bcrypt with millions of iterations without a significant performance penalty. We can awlays consider using PBKDF2 in the future though.
[1] - https://support.1password.com/pbkdf2/ [2] - https://red-sweater.com/blog/2400/secure-password-storage [3] - https://help.bitwarden.com/article/what-encryption-is-used/ [4] - https://lastpass.com/support.php?cmd=showfaq&id=6926
To help provide greater security, we considered encrypting the (passphrase protected) key with the login password. This way, encryption is performed completely on the client side. If somebody gained access to the db, they would need to brute force both the login password AND the passphrase.
It gave us a little more protection. However, from a usability perspective having to always remember both the password and passphrase seems like too much. A user of etched needs to deal with the concept of a passphrase and cannot forget their passphrase. We'll make that pretty clear as part of onboarding. I don't think we can do the same thing for passwords.
Additionally, a user must be able to reset their password if they forget it. If we encrypt the key using the login password there is no way for them to reset it. See this comment for more info.