Skip to content

11.00 Release
Compare
Choose a tag to compare
@zeruniverse zeruniverse released this 07 Aug 23:25
· 11 commits to master since this release
11.00
2e7e2eb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

ALL USERS ARE REQUIRED TO UPGRADE TO THIS VERSION!

v11.00 requires at least PHP 7.1. Note PHP 7.1- is no longer supported by PHP devs and you should upgrade to PHP 7.2+

Security enhancement:

  • Server-side PBKDF2 SHA2 -> SHA3 and more iterations.
  • Client-side CryptoJS -> WebCryptoAPI. With the greatly improved performance, the client-side PBKDF2 iterations in v11.00 is 1e6 (compared to 5e2 in v10.00)
  • Implemented email-based two-step verification
  • Username based salting for secret-key generation to prevent rainbow table attack. (therefore, backup file will now include login username in plaintext for decryption needs)
  • Changed backup to use random salt instead of fixed jsSalt. Backup PBKDF2 iterations is now configurable (and will be written into backup file so you don't need to worry about recovery)
  • Server-side random number / random bytes are now crypto secure.
  • Poll to server every 5 seconds and server will terminate session if not receiving poll for 16 seconds. (This is useful when you put safari at background on your iphone. Before, you will still be able to check password when you switch safari to foreground later)
  • (Optional but recommended) Client-side source file integrity check to provide fail-safe when your server is hacked.

Security fixes:

  • Fixed many bugs associated with inactivity checks at client-side.

Others:

  • Account activity page now has a go-back button at the top
  • Removed redundant "count" key in customized fields
  • Re-designed "position" key in customized fields. The old implementation is buggy (e.g. if position 3 item is rendered before position 2 item, the old method will fail)
  • Re-designed cls key in customized fields. Now you don't need the additional space at beginning.
  • Fixed textarea type in customized fields. Now, it will be real <textarea>
  • Fixed empty row span bug (the old empty info cell will not span the entire row)
  • Account URL (link) button will now open the corresponding login page at new tab
  • Fixed CSV import bug introduced in v10.00
  • Fixed file export bug introduced in v10.00 (files not exported even if include files checkbox is checked)
  • Fixed a bug in recovery page that if you have multiple files (in multiple accounts), only one of them gets processed
  • Fixed details window so now textarea \n is rendered as a new line.
  • Fixed a bug that causes password last change time not displayed at details window
  • Fixed a bug that clipboard plugin not working on Safari (as a result, copy to clipboard will only show up after you click show password *****)
  • Changed Password history to keep most recent 15 passwords
  • Changed CSV export to not include any system fields (last change time / password history). To migrate / upgrade password manager, user should use RAW as RAW will be a full copy.
  • Implemented file delete support. Before, you can only overwrite files.
  • Better handling of cookies.
Assets 2
Loading