search

zeruniverse / Password-Manager

An online keepass-like tool to manage password. client-side AES encryption!
Other
170 stars 44 forks source link

Upgrade plugin to support v11.00 #256

Closed zeruniverse closed 4 years ago

zeruniverse commented 4 years ago

Hi @BenjaminHae

I almost finished development for v11.00. Changes from v10.00 in frontend:

But I found the web browser plugin does not work out of box. Could you check?

The demo site has been upgraded to v11.00 so you can use this for test: https://phppasswordmanager.sourceforge.io/

BenjaminHae commented 4 years ago

I probably also need to replace the algorithms with WebCrypto.

But: Is the output of WebCrypto strictly the same as in CryptoJS? (I guess not) Otherwise migrating directly to the new version is not possible and that would force everyone using the plugin to upgrade. (maybe I could implement a switch, but that's a lot of overhead)

zeruniverse commented 4 years ago

Yes. If you use my library, it’s strictly the same. I tested 1000 random strings / salts

On Tue, Aug 4, 2020 at 12:20 PM Benjamin Häublein notifications@github.com wrote:

I probably also need to replace the algorithms with WebCrypto.

But: Is the output of WebCrypto strictly the same as in CryptoJS? Otherwise migrating directly to the new version is not possible and that would force everyone using the plugin to upgrade. (maybe I could implement a switch, but that's a lot of overhead)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/256#issuecomment-668778244, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDO6NB47P26ISSY4IOUXQTR7BNOXANCNFSM4PUW2MFQ .

zeruniverse commented 4 years ago

CryptoJS uses 500 iterations PBKDF2 and is far lower than NIST recommended 1e4. I think you want users to migrate anyway because the old method will no longer be safe in near future. The current v11 implementation uses 1e6 iterations.

On Tue, Aug 4, 2020 at 12:20 PM Jeffery ZHAO zzy8200@gmail.com wrote:

Yes. If you use my library, it’s strictly the same. I tested 1000 random strings / salts

On Tue, Aug 4, 2020 at 12:20 PM Benjamin Häublein < notifications@github.com> wrote:

I probably also need to replace the algorithms with WebCrypto.

But: Is the output of WebCrypto strictly the same as in CryptoJS? Otherwise migrating directly to the new version is not possible and that would force everyone using the plugin to upgrade. (maybe I could implement a switch, but that's a lot of overhead)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/256#issuecomment-668778244, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDO6NB47P26ISSY4IOUXQTR7BNOXANCNFSM4PUW2MFQ .

zeruniverse commented 4 years ago

Moved to https://github.com/BenjaminHae/PwChromeExtension/issues/44