From 96660a90e4cd296a2922d7a547de4cd9d0b1928b Mon Sep 17 00:00:00 2001 From: DanConwayDev Date: Fri, 1 Sep 2023 00:00:00 +0000 Subject: feat(login) password login using encrypted nsec Enables the user to only handle the nsec upon first use of the tool by encrypting it with a password and storing it on disk in an application cache. The approach to encryption draws heavily from that used by the gossip nostr client. - unencrypted nsec is zeroed from memory - a salt is used to defend against rainbow tables - computationally expensive key stretching defends against brute-force attacks of passwords with low entropy. There is UX trade-off between decryption speed and key-stretching computation. This UX challenge is exacerbated in a cli tool as decryption must take place more regularly. Thought was put into the selected n_log and a heavily reduced value is provided for long passwords where security benefits are smaller. A more granular reducing in computation was also considered by rejected to avoided to revealing just how weak a password is as most weak passwords are reused. --- src/sub_commands/login.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/sub_commands') diff --git a/src/sub_commands/login.rs b/src/sub_commands/login.rs index d61f578..5391024 100644 --- a/src/sub_commands/login.rs +++ b/src/sub_commands/login.rs @@ -7,5 +7,6 @@ use crate::{login, Cli}; pub struct SubCommandArgs; pub fn launch(args: &Cli, _command_args: &SubCommandArgs) -> Result<()> { - login::launch(&args.nsec) + let _ = login::launch(&args.nsec, &args.password)?; + Ok(()) } -- cgit v1.2.3