Hey, I think it would be cool to add an indicator showing whether a stored password exists for the page, when the vault is encrypted. The indicator would look the same as it does when the vault is decrypted. You can achieve this by storing the safe hash (e.g. HMAC-SHA256) of the URL for each saved password. By that way, you know if the user has a saved password for the page, allowing you to skip the full decryption process.
@ctrlshifti Welcome to the forum!
Maybe this would be “cool”, but it would come at a cost of lost privacy and security. Hashing can be thwarted by brute-force guessing, which will not be very difficult for URLs, as a random domain name would have around 30 bits of entropy (easier to crack than a random 5-character password). Also it would be trivially easy to check if a vault contains passwords to an above-average number of crypto and/or banking websites (marking the user as high-value, and thus worthy of targeted attacks), or to check whether a vault contains any accounts registered on embarassing or illegal websites (marking the user as a potential target for blackmail).
That’s true for a normal hash function, but when using HMAC, you get the entropy of the secret, which is typically 256 bits. However, you’re right someone like a potential employee or anyone with access to the secret key could still brute-force the URL. One possible solution is to store the URLs locally and use a randomly generated 256-bit secret key that is encrypted and easily retrievable by the user (similar to password management strategies). This way, the user can perform URL hashing on the client side without exposing the secret/url to any third party.
The fact that there are multiple match detections greatly complicates this. To do a regex match, one pretty much needs the cleartext URL.
1 Like