New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key-Derivation #11
Comments
Hi, no it is not correct. Ehsun Behravesh On Mon, Apr 6, 2015 at 4:33 AM, karheinz notifications@github.com wrote:
|
MyPasswords 3.0 key derivation is not done yet. It will be implemented in a native code. In case you are asking about MyPasswords 2.0 which is not hosted here, it is not the case for key derivation. |
What is meant with native code? I took a look at MyPasswords 2.* and its worse there. The AES-key here is build out of the first 8 byte of the password: AES-key = 16 byte = (first 8 byte of the password) | (first 8 byte of the password) |
native code means in a native dynamic library, so it can not be decompiled. a .dll/.so/dylib file. Yes in MyPasswords 2.x it was like that, but it will not be the same in MyPasswords 3.0 |
Keeping the algorithm secret does not lead to more security. "The enemy knows the system." http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle Btw, memory can be disassambled (e. g. with GDB). Somebody will do this, for sure. |
you are right, but as I said earlier, MyPasswords 3.0 is not ready and key derivation part is a prototype yet, it is not implemented yet. Please report bugs after the release ;) MyPasswords 3.0 is not released yet. |
Hi!
Is it correct, that the encryption-key is derived from the password by this method (CipherUtils)?
This is bad! You should use at least PBKDF2 with a high number of iterations.
The text was updated successfully, but these errors were encountered: