Overview
This release resolves a critical cryptographic vulnerability present in earlier versions of Memoro Vault and introduces a set of architectural and usability improvements. The focus of v1.0.5 is to close a flaw that allowed targeted brute-force attacks against individual answers and to strengthen resistance against modern hardware-based cracking techniques. Additionally, the UX has been refined with mobile performance in mind.
Security Fixes
Removal of Per-Answer Hashes
In prior builds, individual Layer 2 answer hashes were stored directly in plaintext or in unprotected metadata structures, enabling adversaries to attempt offline dictionary attacks on each answer independently. This structure significantly reduced the effective entropy required to compromise a vault.
In v1.0.5, all per-answer hashes have been eliminated. The only remaining verifier is the vaultHash, which represents the entire answer set in the correct order and is now stored encrypted within vault.meta.
Encrypted vaultHash
The vaultHash—used to verify the integrity of all answers—is now stored encrypted. It is only accessible once the correct full key is derived from all answers in their original order. This prevents any form of early validation by an attacker, ensuring the vault can only be unlocked when all conditions are met in full.
Cryptographic Upgrades
Migration to Argon2id
v1.0.5 replaces PBKDF2 with Argon2id for all key derivation operations. Argon2id is a modern, memory-hard key derivation function designed to mitigate brute-force attacks using parallelized hardware (e.g., GPUs, FPGAs). This change significantly improves security under offline attack scenarios.
Current parameters:
- Memory: ~4 MB
- Iterations: Tuned for mobile recovery
- Parallelism: 2 threads
- Hash length: 32 bytes
This configuration balances mobile compatibility and security, allowing vaults to be recovered even on constrained devices without compromising resistance to adversarial compute.
Usability and Platform Enhancements
- Mobile Optimization: All recovery flows, hashing, and file unpacking are now optimized for execution on modern smartphones.
- Preparations for Mobile App: The internal architecture is now aligned with the requirements of an upcoming native mobile app, which will offer full offline vault recovery and vault creation.
- Improved Build Tooling: Vault building now produces more predictable ZIP layouts, cleaner entropy handling, and easier deterministic verification.
Upgrade Recommendation
All users are strongly encouraged to migrate to v1.0.5 immediately. Vaults created with prior versions may be vulnerable to partial hash analysis and key inference. The improvements in this release prevent these classes of attacks entirely and establish a stronger cryptographic baseline for all future enhancements.