7/19/2023 0 Comments Keepassxc chrome extension![]() PfP doesn’t offer sufficient guidance here however, and that’s the second issue. The reason here is that I wanted for it to be usable on mobile devices, even though a mobile version of PfP never materialized.Īs I pointed out myself not too long ago, you compensate suboptimal key derivation by choosing a stronger password. One is the scrypt key derivation parameters being not quite optimal. ![]() Solving this was quite challenging, given that passwords can be locked during sync, in which case PfP won’t be able to decrypt its data.Īt the current point I am still aware of two issues with the PfP design. No, this isn’t merely uploading an encrypted blob to some cloud storage, PfP sync is rather capable of merging concurrent changes from different PfP instances. Encrypting all the data allowed implementing secure sync functionality without relying on trusted storage. Not that there aren’t “industry leaders” who made the exact same mistakes.īy 2018 I’ve addressed both issues with PfP 2.0 however. Encryption would only be used for the occasional stored password, while all the metadata stayed unencrypted.Īs I said, I was new to cryptography. The second mistake was focusing on password generation as protection mechanism and neglecting encryption. PBKDF2 had the advantage of being supported natively by the browsers via the Web Crypto API, but otherwise it’s not a recommended choice. The first mistake was the choice of key derivation algorithm. So it’s not surprising that I made a bunch of questionable choices. ![]() Back when I started this project, originally called EasyPasswords, I was still a cryptography newbie.
0 Comments
Leave a Reply. |