Pass DBs reveal password lengths + PEBKAC issue

HacKan hackan at gmail.com
Fri Feb 24 15:25:04 CET 2017 

Not padding is NOT the issue. Padding simply adds obscurity (in this case).

The issue is that pass does leaks metadata (this has been discussed), so
using it in a public repo is a bad idea IMHO.

You could write an extension for that if you want, but you are not
solving anything by just padding.

What needs to be done is fix the meta leak, and that isn't possible with
the pass scheme. At most, you can use something like tomb and then sync
a single large binary file that does solves everything, except the fact
that is very annoying given it's size.

Cheers!


On 02/24/2017 11:12 AM, Kevin Lyda wrote:
> Note that you can store more than just the password. Put the password
> of the first line and then put information about the password on the
> next lines. That will obscure the length.
>
> Kevin
>
> On Fri, Feb 24, 2017 at 1:39 PM Thibault Polge <thibault at thb.lt
> <mailto:thibault at thb.lt>> wrote:
>
>     > In any case, I agree it should be clearly documented.
>
>     Here's a draft of two very short paragraphs that could be added at the
>     end of the manpage, in a new “Limitations” section, just before “See
>     also”:
>
>     > The hierarchy of password names is stored as a plain text directory
>     > structure. Pass itself does nothing to conceal the names you give to
>     > your keys or to the folder structure which contains them.
>     >
>     > Pass also does nothing to hide the size of the data it encrypts. The
>     > design of OpenPGP makes it trivial to compute the length of the
>     > cleartext from the length of the cyphertext.
>
>     I'm not good at nroff stuff, but if there are no objections, I'll try
>     and send a patch to pass.1
>
>     Thanks all for your feedback,
>     Best regards,
>     Thibault
>     _______________________________________________
>     Password-Store mailing list
>     Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
>     https://lists.zx2c4.com/mailman/listinfo/password-store
>
>
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store

-- 
HacKan || Iván
GPG: 0x35710D312FDE468B

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170224/8144eee8/attachment.html>

More information about the Password-Store mailing list