[pass] Feature requests: scrypt key derivation / salts
Chris Down
chris at chrisdown.name
Sat Dec 28 07:49:54 CET 2013
On 2013-12-28 07:28:18 +0100, Jonas Wagner wrote:
> I do have a security concern, though. Because my master password has
> limited entropy, I would like to derive the encryption key from the
> password using an expensive operation (ideally scrypt). Is there already an
> easy way to do this? What do people think of this idea?
>
> If this feature does not exist yet, I'd be willing to contribute some code.
> Any hints on where to insert my changes, and what coding guidelines to
> follow, would be appreciated.
I am against implementing any cryptography in-house. We are not
cryptography experts.
> While we're at it, I think a salt should be added to the encryption.
> Otherwise people who use the same password for multiple sites (yeah I know
> you shouldn't...) will reveal this fact because the encrypted password
> files are equal.
As far as I know, this is not the case (but again, I am not a
cryptographer, so take what I say with a pinch of salt):
- OpenPGP uses hybrid encryption, and the symmetric key will be
different each time;
- GPG uses a random IV.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20131228/b024e156/attachment.asc>
More information about the Password-Store
mailing list