Upgrading your password_template
robinmoisson opened this issue · 0 comments
EDIT: the password_template in staticrypt 3.x is much simpler. If you need to update your password_template, consider moving straight to 3.x. See the migrating guide.
This issue describes how to update your custom password_template.html file if you get this warning message:
#################################
SECURITY WARNING [StatiCrypt]: You are using an old version of the password template, which has been found to be less secure. Please update your custom password_template logic to match the latest version
You can find instructions here:https://github.com/robinmoisson/staticrypt/issues/161#################################
#159 explains the reason for this message: the PBKDF2 iterations prior to 2.4.0 were low, which makes short and medium-length passwords weaker to brute-force.
Coming from 2.2.0 and up, we were able to increase the iterations count even when people are using a custom password_template, but it's not possible to do for custom templates before that.
To benefit from the added security if you're in that case, you should upgrade your template.
What to do
This should be a fairly simple operation, just head out to the latest template file
- here if you're on 2.x
- [link coming soon if you're on 1.x and want to stay there]
Then take the JS logic from the up-to-date template, and replace your current decryption logic in your custom template.
If you're not using a custom password template, or you based it on version 2.2.0 or up, you don't have to do anything.
Feel free to comment here if you need help.