When doing encyption I'm using password as crypting key. I think this is not a good idea. If somebody uses weak password, it is very easy to break crypted file.
Originally posted by Henry Wong:
You can, in theory, take any password, run it through a MD5 + SHA256 + etc., and you get a strong key. However, you can decompile the class files, figure out the algorthm on generating the key, and then try to break it from there. This is why you also need a strong password.
I should explain the use of the salt with the key. You don't need to keep it secret; you just need to make sure it's very random, and generate a new salt every time the password is generated or changed. This ensures that you get a completely different secret key, even for the same password, and even for weak passwords.
Originally posted by Uuno Turhapuro:
How I can make complitely random salt? If salt is different every time, how decrypting is then done? I can generate whole new key based on password, but I should be able to generate that same key when decrypting that file.
Originally posted by Pat Farrell:
Sometimes its helpful to put a known string in the cleartext so you can quickly tell if the decipher worked. If you do this, you should also use an IV and store it also in the clear.
Originally posted by Carey Evans:
I don't know whether it matters if you use the same IV for the password and the cipher.