Replying to Avatar brugeman

If ncryptsec isn't stored on the client, how can it be retieved and decrypted without asking for password? Either it can't be retrieved, or it can using stored hash but can't be decrypted, or it can be retrieved and decrypted but then stored hash can be stolen and used to retrieve and decrypt, which is equivalent to just storing the nsec. Am I missing something?
Avatar
DanConwayDev 1y ago

Your right. The user shouldn't be able to authenticate with the server using a hash of something stored in localstorage.

Therefore the password hash for the server auth key needs to use a different salt.

Reply to this note

Please Login to reply.

Discussion

No replies yet.