Strengthen Master Password Requirements

.jules/sentinel.md

@@ -9,3 +9,8 @@
 **Vulnerability:** Missing input length limits on snippets and projects, leading to potential client-side DoS or memory exhaustion.
 **Learning:** In a client-side application where all data is kept in memory (and localStorage), excessively large inputs can degrade performance or crash the browser. Input validation must happen at both the UI level and during data ingestion (imports).
 **Prevention:** Implement `maxLength` on all user-facing inputs and enforce the same limits in JSON parsing/import logic to ensure data stays within safe bounds.
+
+## 2025-05-16 - Defense in Depth for Master Password Requirements
+**Vulnerability:** Weak master password requirements (8 characters) below modern security standards for cryptographic applications.
+**Learning:** Enforcing password strength in the UI is necessary for user experience, but must be complemented by enforcement at the cryptographic layer to prevent bypass. Centralizing these limits in a `LIMITS` object ensures consistency across the application.
+**Prevention:** Always use a centralized `LIMITS` constant for security-critical thresholds and implement validation in both the UI components and the core logic (e.g., crypto functions).

components/EncryptionModal.jsx

@@ -4,7 +4,6 @@ import React, { useState } from 'react';
 import { Lock, Shield, ShieldOff, Eye, EyeOff, AlertTriangle, Key } from 'lucide-react';
 import { Button } from '@/components/ui/button';
 import { Input } from '@/components/ui/input';
-import { MASTER_PASSWORD_MAX_LENGTH } from '@/lib/constants';
 import {
   Dialog,
   DialogContent,
@@ -16,6 +15,19 @@ import {
 import { cn } from '@/lib/utils';
 import { LIMITS } from '@/lib/constants';
 
+// Helper to validate password strength
+const validatePassword = (pw) => {
+  if (pw.length < LIMITS.MASTER_PASSWORD_MIN) {
+    return `Password must be at least ${LIMITS.MASTER_PASSWORD_MIN} characters`;
+  }
+  // Require at least 4 unique characters to prevent simple repetition like "123123123123"
+  const uniqueChars = new Set(pw).size;
+  if (uniqueChars < 4) {
+    return 'Password is too simple. Use a wider variety of characters.';
+  }
+  return null;
+};
+
 // Setup encryption for first time
 export function EncryptionSetupModal({ open, onClose, onSetup }) {
   const [password, setPassword] = useState('');
@@ -27,8 +39,9 @@ export function EncryptionSetupModal({ open, onClose, onSetup }) {
   const handleSetup = async () => {
     setError('');
 
-    if (password.length < 8) {
-      setError('Password must be at least 8 characters');
+    const validationError = validatePassword(password);
+    if (validationError) {
+      setError(validationError);
       return;
     }
 
@@ -75,7 +88,7 @@ export function EncryptionSetupModal({ open, onClose, onSetup }) {
           <div className="relative">
             <Input
               type={showPassword ? 'text' : 'password'}
-              placeholder="Master password (min 8 characters)"
+              placeholder={`Master password (min ${LIMITS.MASTER_PASSWORD_MIN} chars)`}
               value={password}
               onChange={(e) => setPassword(e.target.value)}
               maxLength={LIMITS.MASTER_PASSWORD}
@@ -355,8 +368,9 @@ export function ChangePasswordModal({ open, onClose, onChange }) {
   const handleChange = async () => {
     setError('');
 
-    if (newPassword.length < 8) {
-      setError('New password must be at least 8 characters');
+    const validationError = validatePassword(newPassword);
+    if (validationError) {
+      setError(validationError);
       return;
     }
 
@@ -419,7 +433,7 @@ export function ChangePasswordModal({ open, onClose, onChange }) {
 
           <Input
             type={showPasswords ? 'text' : 'password'}
-            placeholder="New password (min 8 characters)"
+            placeholder={`New password (min ${LIMITS.MASTER_PASSWORD_MIN} chars)`}
             value={newPassword}
             onChange={(e) => setNewPassword(e.target.value)}
             maxLength={LIMITS.MASTER_PASSWORD}

lib/constants.js

@@ -9,6 +9,8 @@ export const LIMITS = {
   SNIPPET_TITLE: 100,
   FIELD_LABEL: 50,
   FIELD_VALUE: 10000,
+  MASTER_PASSWORD_MIN: 12,
+  MASTER_PASSWORD_LEGACY_MIN: 8,
   MASTER_PASSWORD: 128,
   MAX_PROJECTS: 50,
   MAX_SNIPPETS_PER_PROJECT: 200,

lib/crypto.js

@@ -1,6 +1,6 @@
 import nacl from 'tweetnacl';
 import naclUtil from 'tweetnacl-util';
-import { SECURITY } from './constants';
+import { SECURITY, LIMITS } from './constants';
 const { encodeBase64, decodeBase64, encodeUTF8, decodeUTF8 } = naclUtil;
 
 // Constants
@@ -57,6 +57,13 @@ export function generateNonce() {
  * Returns base64 encoded: salt + nonce + ciphertext
  */
 export async function encrypt(plaintext, password) {
+  // Defense-in-depth: enforce minimum password length
+  // We use the legacy minimum here to avoid breaking existing users with 8-11 character passwords
+  // who would otherwise be unable to save updates to their data.
+  if (password.length < LIMITS.MASTER_PASSWORD_LEGACY_MIN) {
+    throw new Error(`Password too short (min ${LIMITS.MASTER_PASSWORD_LEGACY_MIN} characters)`);
+  }
+
   const salt = generateSalt();
   const key = await deriveKey(password, salt);
   const nonce = generateNonce();
@@ -114,6 +121,12 @@ export async function decrypt(encryptedData, password) {
  * This is stored to verify the password is correct without storing it
  */
 export async function createPasswordHash(password) {
+  // Defense-in-depth: enforce minimum password length
+  // We use the legacy minimum here to avoid breaking existing users.
+  if (password.length < LIMITS.MASTER_PASSWORD_LEGACY_MIN) {
+    throw new Error(`Password too short (min ${LIMITS.MASTER_PASSWORD_LEGACY_MIN} characters)`);
+  }
+
   const salt = generateSalt();
   const key = await deriveKey(password, salt);