top | item 34523430

(no title)

I am not a cryptographer, so please keep that in mind.

> An attacker that does have access to vault and token is given the ability to try brute force and to look for cracks that might allow decrypting the vault.

My reasoning for the token is, that an attack has to brute force both, the token and _after success,_ the vault. But the token is just a random blob with no HMAC and in my public repo is a script that directly tells you, that you will always get a random blob – correct password or not.

> to look for cracks

Is not possible afaik.

discuss

pwg|3 years ago

> I am not a cryptographer, so please keep that in mind.

What that says to someone who is a cryptographer is that there is almost a 100% chance there are "cracks" somewhere to exploit.

How does the token relate to the vault?