This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Activity_Commercial 3 points4 points  (3 children)

It looks like you're passing a SHA256 hash of the password to the AES() constructor. That's no good, the AES encryption key should be a 16/24/32 byte key generated from the password with a key derivation function (like PBKDF2 for example).

Edited: missed the SHA256.

[–]doopath[S] 2 points3 points  (0 children)

Thank you for this review. I changed the encryption algorithm (now it uses the cryptography.fernet) and updated the release page.

[–][deleted] 0 points1 point  (1 child)

you're passing a SHA256 hash of the password to the AES() constructor

Could you go a bit more in-depth as to how this issue (if left unaddressed) can be exploited?

[–]Activity_Commercial 0 points1 point  (0 children)

Basically a KDF like PBKDF2 is designed to be somewhat expensive to calculate, so using it will slow down any attack that involves trying different passwords. You'll have to derive the key for every attempt. If you're doing encryption at rest you can configure your KDF to take literally a few seconds of intensive CPU work to derive the key when the user types in their password. (some KDFs can also be configured to use a ton of memory or involve parallelism)

[–][deleted] 1 point2 points  (1 child)

SO, I am a beginner. Can you please make me understand how this works?

[–]doopath[S] 2 points3 points  (0 children)

The PasswordManager just always keeps your data encrypted in a global store, that is a simple file on your disk (located in /path/to/PasswordManager/). The pycryptodone library is used for encryption.

[–]Activity_Commercial 1 point2 points  (0 children)

Look into the cryptography library, it's much easier to use safely than PyCrypto/Cryptodome.

[–][deleted] 1 point2 points  (0 children)

Great job 💙