Improve security of weak passphrases by implementing PBKDF2
Issue #30
new
Users often pick low-entropy passphrases, because they are used to regular passwords.
And then their account gets hacked with something that looks like offline bruteforcing.
So instead of doing
MessageDigest.getInstance("SHA-256").digest(secretPhrase.getBytes("UTF-8"))
we should do something like PBKDF2 to improve security.
Comments (2)
-
repo owner -
reporter No argument there.
I will continue nagging client devs to agree on some sort of standard for this.
- Log in to comment
Whatever gets done in the javascript client has to be supported in other clients too, so that when the js client is dropped users have a way to migrate. So only if PBKDF2 becomes standard in at least a few alternative clients, and if we still maintain the js client at that time, then it would make sense to also add PBKDF2 to the js client.