![]() The thing is that we have to consider the best possible security and(!) availability for the average user without restraining edge cases. with a password manager) that you won't forget. Theoretically it might look like a weakened security, because you could always choose a stronger password than this (e.g. With my suggested pattern there are (26+10)^16 = ~8 * 10^24 permutations, so that brute-force attacks are very unlikely to succeed. ![]() Lowercase is preferred, because there are less-likely mix-ups like 0 and O. In my opinion the recovery code should be case-insensitive, because it's better usability-wise and doesn't weaken security significantly. I'm not aware of any standardization of what the pattern of the recovery code should look like, but it shouldn't be too short (security) and shouldn't be too long (usability).įor example xxxx-xxxx-xxxx-xxxx is a pattern that we could use with x =. Recovery codes are already common practice when you activate two-step authentication in most online services. There should also be the possibility to generate a new recovery code, when a vault has been successfully unlocked. With the recovery code you will be able to set a new password for your vault. Optionally generate a recovery code after a vault has been created. That's why I've struggled with the Touch ID implementation in the iOS app, even though it's already in the app. This isn't the only reason why we haven't implemented #40 yet, but an automatism would increase the probability of forgetting passwords. In Cryptomator's case it's fatal, because you won't be able to access your vault anymore. ![]() In most cases this isn't an issue, because we're used to "forgot your password?" workflows. It's not that unlikely that we forget passwords.
0 Comments
Leave a Reply. |