This merges #160 and addresses the topics raised in #159 related to PBKDF2 iterations.
Here's the content of the release:
- raise the PBKDF2 iteration count from 1k to 15k in a backward compatible way (600k will come with WebCrypto). This doesn't break remember-me or auto-decrypt links
- for custom password templates made before 2.2.0 we can't raise the iterations count without breaking, so display a warning pointing to instructions to update (linking to #161)
- warn the user when they use a short password and suggest a better one (warning can be hidden with
--short) - better wording nudging towards a strong password in the docs
Here's what the warning looks like:
WARNING: Your password is less than 16 characters (length: 4). Brute-force attacks are easy to try on public files, and you are most safe when using a long password.
👉️ Here's a strong generated password you could use: fuQKJtRUTm6LBtTPguYHI
The file was encrypted with your password. You can hide this warning by increasing your password length or adding the '--short' flag.
Non-breaking change (?)
I'm hoping it's not really a breaking change, but the output of the CLI changed if you're using a short password to display the warning. This might break functionality if people are parsing the result of --share and expecting they just get the URL. If that's a reported issue, we can hide the warning when this flag is passed.