Comment by gloosx
1 year ago
Even with a strong password – my laptop today can do 1100 MH/s which makes it quite feasible. One of the potential attack vectors can look like this: a malicious actor takes this and reskins the UI, then hosts and does the marketing, his server stores the NGINX logs with /login requests for some time, preserving the password_hash and username params silently. Then after a while he spends few weeks cracking the passwords for every account and syncs their notes, then parsing them for passwords/sensitive info.
As for suggestions, this could be enforced by making use of a system-level keychain, but I don't know if it is possible within a sandboxed environment like PWA. Some stronger derivation method would help too, like the industry standard is pbkdf2 with at least 600000 iterations for SHA256. Lastly, end-to-end encryption usually implies some kind of protection against man-in-the-middle attack, like a certificate pinning mechanism
Actually I'm using pbkdf2 with 100000 iterations of sha256 for the encryption, but not for hashing the pass. That will certainly add a few orders of magnitude to the infeasibility of cracking the password hash when the server itself is not to be trusted. I'll implement that and thanks for bringing it to my attention.
But I don't think a strong password can be cracked that quickly. Let's say you use a 12 character long lowercase, uppercase, digits and some specials chars. That should give you at least 60^12 possibilities. At 1BH/s, that would take 70k years. Is my calculation wrong?