Improve Security

[Flamifly]

Since we use the Master Password to decrypt/encrypt the Password Items we should protect it better (User could use a pretty simple Password).
If the Password is simple the File could be decrypted easy by brute forcing.
I would say we should take the Master Password and Hash it for example with Argon2.

Example:
Password: 1234
Salt: EasePass:
Result: 8164c9ce8593ade06e1029fa5f03e7a0bcd11d1c8944bf0c604d4c0eee960b184f6da622230afab30fb2d7b89382602e96fca1070c6c05ff53712394986e31c6e2fd053f5da3bba8fc641e19f5f94dc4906e527be536e030fac33f87f5b3b3b7d380d51c

This would take a lot longer to encrypt

[FrozenAssassine]

@finn-freitag ?

[finn-freitag]

I have also thought about such things. I also had your method in mind, but the problem is that you can still easily brute force the password, because you just have to download the Database.cs file from Github, which would include the way we hash passwords and you can brute force the password again. If so, then you would have to use a second factor for login for our app.

[Flamifly]

Yea I get what you say but in my Opinion it will be one extra step for the Attacker. If you say not needed it's fine

The Function of an Second Factor would be good too

[Flamifly]

And if we would implement it with Argon it could also take way longer to get the Password with Bruteforcing because you can define the amount of RAM, Parallels, Iterations, etc. Should be used

By that it will take longer to get the Hashes Depending on the params

[finn-freitag]

You are definitely right, we should keep it in mind (the hash method).

[Flamifly]

Merty Christmas Guys,

I am working on adding Second Factor.
I would like to some ideas for the Design.

• So my idea is to implement a Token based Second Factor at first (store it as hash)
• The next Second Factor would be for example Google Authenticator

My Question is now how would you show the options for the Two Factor to the User?

I will show my ideas later

[FrozenAssassine]

Merry Christmas my dear.

The second factor is an awesome idea.

I would create another textbox on the login page, which will only be visible if the second factor is active. This can be done using a AppSetting.
Is the second factor for every database individually or just one for the whole app?

[Flamifly]

Since you can access a temporary Database I would say per Database or what would you say?

[Flamifly]

Or maybe there could be an option the enable ot just for the app or the Database

[finn-freitag]

I would say you can enable a second factor for every Database, because you can handle and import multiple databases. Because of this, you need to handle multiple second factors and it doesn't make sense to enable one second factor for all databases.

[FrozenAssassine]

Well you could save one second factor to all databases using a single click, but yeah every database should store it individually

[Flamifly]

Where to put the enable Second Factor on the Databases or the Settings?

My first guess was on the Settings (because I forgot that you can have multiple Databases)
So I think it should be on the Databases what would you say?

Also should I have to choose the Second Factor in first place or if I want to enable it?
I would say you have first to enable it

I will also implement a Dialog which asks if the User really want to Add a Second Factor
Is there already a Dialog that I can use for it or do I have to create a new one?

[FrozenAssassine]

You can store the second factor in the DatabaseItem. Every database is of type DatabaseItem and all its properties are stored in this class.

You probably have to create a new dialog. But just to remember, you can only show one dialog at a time.

[finn-freitag]

I would say you have to activate the second factor retrospectively.

[Flamifly]

You can store the second factor in the DatabaseItem. Every database is of type DatabaseItem and all its properties are stored in this class.

You probably have to create a new dialog. But just to remember, you can only show one dialog at a time.

I will probably Change the way the Decryption/Encryption will be done a bit.
I will Change that you can't encrypt the data just by the Password you need also know the Second Factor.
By that I mean we first decrypt the Passwords with the Second Factor and After it we decrypt it with the Master Password.
I will store the Second Factor Token as Hash.

Should the Second Factor Token be complex or should it just contains numbers or something like that?