If users store a plain SHA256 hash of the password elsewhere, then KeyProtectedByPasswords can be decrypted using that hash. #392
Description
I made a poor choice when I was separating KeyProtectedByPassword's password-based encryption from the regular password-based encryption this library's public API exposes. I separated them by simply hashing the password once with SHA256. But now that I think about it, it's plausible that some user will store a plain SHA256 hash of the password somewhere else (e.g. as part of an insecure user authentication scheme). I should have added a domain separation string into that hash. We have three options:
- Ignore the problem, document it, and hope nobody does it.
- Fix it in a minor-version-compatible way (encryption always uses better-domain-separated hashes, but decryption will silently use whichever kind of hash it was encrypted with).
- In the next major version, make it refuse to decrypt the old kind, so that the only way to decrypt a
KeyProtectedByPasswordwill be to change the password (which will create one with better domain separation) and then unlock the result of that.
(2) and (3) aren't mutually exclusive.
I bet most users aren't storing SHA256 hashes of the passwords, so doing (3) would add an unnecessary hurdle for for all those users to update to the next major version, which could be a bad thing for the ecosystem. If we don't do (3), everyone who happened to be storing a SHA256 of the password must find out on their own that they need to recreate all of their KeyProtectedByPasswords.