There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
Function used to convert passphrase to encryption key
So this issue is one of security. I don't know that the function that I used (or rather wrote) is cryptographically strong enough to store the account information when it is AES encrypted. There is a "random" IV that I am using and there is a
lot of hashing going on; I'm not using a single hash or ECB, so it's not completely crap, but I wonder if it's strong enough.
This is something that I need to contemplate, because if I change it, it will break any stored accounts right now. I haven't been doing version tracking in the XML or in the overall application, so there's no real good way to say "You're on a old version,
please wait while I convert your accounts to the latest version." aside from the change from a .DAT file to XML.
I recently coded up a PBKDF2<T> (RFC2898) method for another project that would work here nicely, but as I stated above, any changes to the hash methods used to set the key and IV for the AES encryption will BREAK any stored accounts. I don't want to
put any users through that pain unless I can safely, and automatically, upconvert them to the new version. In the future, I also need to better keep track of the assembly version and the build number in case of such issues going forward.
I will be revisiting this....