<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>I think I agree with Thibault on 1 - there are some sites that just don't allow big enough passwords, and some places are still using PIN codes (like certain airlines).<br></div>
<div><br></div>
<div id="sig46554162"><div class="signature">--<br></div>
<div class="signature">Marin<br></div>
<div class="signature"><br></div>
<div><br></div>
</div>
<div><br></div>
<div>On Thu, Feb 23, 2017, at 12:52 PM, Emil Lundberg wrote:<br></div>
<blockquote type="cite"><p dir="ltr">If the stored passwords are not strong enough to withstand a brute force attack with known cleartext length, that defeats the purpose of using a password vault in the first place.<br></p><p dir="ltr">It is true that the website says nothing of best practices when using a password vault, but is it really likely that pass will be the first solution a newbie user comes across? I would think a prospective user has either used another password vault before, or has used PGP and understands basic security best practices that way.<br></p><p dir="ltr">/Emil<br></p><div><br></div>
<div defang_data-gmailquote="yes"><div dir="ltr">On Thu, 23 Feb 2017, 17:54 Thibault Polge, <<a href="mailto:thibault@thb.lt">thibault@thb.lt</a>> wrote:<br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><br></div>
<div>> Not telling you my password length is a form of security through<br></div>
<div> > obscurity. The strength of the password comes from its length and its<br></div>
<div> > randomness - not from keeping its length secret.<br></div>
<div> <br></div>
<div> I partially agree. Iff strong passwords are used, knowledge of the size<br></div>
<div> of these passwords is no serious help to an attacker. *But* otherwise,<br></div>
<div> it may /prove/ that a brute-force attack is feasible, give an estimate<br></div>
<div> of the required effort, and thus help decide if such an attack is worth<br></div>
<div> doing.<br></div>
<div> <br></div>
<div> I think the issue is in fact *not* whether pass hides the password<br></div>
<div> length or not, but whether these intrinsic characteristics are<br></div>
<div> explicitly documented, and they appear not to be. Not trying to do<br></div>
<div> anything fancy beyond saving/retrieving little blobs probably makes it a<br></div>
<div> better player in Unixland, but the implications of this should, IMHO, be<br></div>
<div> more clearly stated than they actually are.<br></div>
<div> <br></div>
<div> If the source code of the website is available somewhere, I'd be happy<br></div>
<div> to provide a patch (I'm assuming some sort of static generator; if it's<br></div>
<div> written directly in raw HTML, I can propose changes to the HTML itself,<br></div>
<div> of course).<br></div>
<div> <br></div>
<div> Best regards,<br></div>
<div> Thibault<br></div>
<div> _______________________________________________<br></div>
<div> Password-Store mailing list<br></div>
<div> <a href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a><br></div>
<div> <a href="https://lists.zx2c4.com/mailman/listinfo/password-store">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br></div>
</blockquote></div>
<div><u>_______________________________________________</u><br></div>
<div>Password-Store mailing list<br></div>
<div><a href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a><br></div>
<div><a href="https://lists.zx2c4.com/mailman/listinfo/password-store">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br></div>
</blockquote><div><br></div>
</body>
</html>