sorry I am a complete n00b in that regard, but wouldn’t it make Cryptomator even more secure if it had a time-out after an incorrect password has been entered ? So another password-attempt could not be made right away (but only after a set amount of time like 10 seconds or 1 minute).
This way, it would be nearly impossible for a person other than the creator of of the vault to gain access even when attacking it with super-powerful hardware (unless the password is very easy to guess, of course).
If the true owner of a vault just makes a typo, there is no problem in having him wait for a few seconds before he can enter the password again.
Why is this not a good idea ?
This sounds very reasonable to me so there must be a catch, otherwise you would have implemented this already.
TLDR: there is a waiting between tries but in a different way. I asked brave search KI to explain it for you.
PBKDF2 vs Brute Force Attacks
Why password timeout does not add more security against brute-force attacks:
Brute-force attacks are designed to be persistent: Attackers will continue to try passwords until they find the correct one, regardless of the timeout interval. A timeout only delays the attack, but does not prevent it.
Insufficient protection against parallel attacks: Modern brute-force tools can perform thousands of attempts per second, making it easy to bypass a timeout. Attackers can simply use multiple machines or distributed computing to launch parallel attacks, overwhelming the timeout mechanism.
No impact on the encryption algorithm: A password timeout does not affect the encryption algorithm’s security. The attacker can still use the same password to decrypt the data once they obtain it, regardless of the timeout.
Potential for DoS: Implementing a password timeout can lead to a denial-of-service (DoS) scenario, where legitimate users are locked out due to excessive failed login attempts, making it difficult for them to access their encrypted data.
Why PBKDF2 is a better solution:
Key stretching: PBKDF2 (Password-Based Key Derivation Function 2) is designed to slow down the key derivation process, making it computationally expensive for attackers to perform brute-force attacks. This slows down the attack, making it more detectable and preventing parallel attacks.
Memory-hard functions: PBKDF2 uses memory-hard functions, which require significant memory access and computation, making it difficult for attackers to parallelize the attack using GPU or distributed computing.
Key derivation: PBKDF2 derives a key from the password, rather than using the password directly. This makes it more resistant to rainbow table attacks and reduces the effectiveness of precomputed tables.
Standardized and widely adopted: PBKDF2 is a widely accepted and standardized algorithm, ensuring compatibility with various encryption libraries and frameworks.
Combines with other security measures: PBKDF2 can be used in conjunction with other security measures, such as salted hashes, to provide additional protection against attacks.
In summary, while a password timeout may seem like a simple security measure, it is ineffective against persistent and parallel brute-force attacks. PBKDF2, on the other hand, provides a robust and standardized solution that slows down key derivation, making it more resistant to attacks and providing a stronger foundation for encryption security.