This repository has been archived by the owner on May 22, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Password hashing / Insufficent PBKDF rounds #607
Comments
I missed something important Line 249 in 9410def
file.url is the complete download link, including the base64 encoded secretKey. Therefore the newAuthKey is already derived from a secretKey AND password and should be quite safe from brute force. 100 rounds is more than sufficient, as the encoded secretKey is adding 128 bits of entropy to the users password Sorry, Closing! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The
newAuthKey
is derived from the users password and submitted to the server, effectively a password hash. Only 100 rounds/iterations are used.send/app/fileSender.js
Lines 239 to 261 in 9410def
send/app/fileSender.js
Line 288 in 9410def
Stackoverflow user "Tails" has compiled a list how many rounds are recommended/actually used in some implementations
The AuthKey is used to sign a nonce. Some suggestions
edit: Accidentally submitted this issue before i had finished writing it
The text was updated successfully, but these errors were encountered: