[pass] New approach

Kevin Cox kevincox at kevincox.ca
Thu Jun 5 18:55:06 CEST 2014

On 05/06/14 12:28, Santiago Borrazás wrote:
> What do you think about storing password with this approach?

Disclaimer: I am not a cryptographer.

I'm a little apprehensive but it doesn't seem too bad to me.

If you assume that your hash function is a random oracle and nobody
knows your "master" password then it should be perfectly secure.
However, if an attacker gains access to a single password they can work
out your master password especially if it is weak.  (They can brute
force it, so if the entropy is high enough this should be impractical)

The nice thing about using random strings is that access to any password
only lets them into one site with no way to work out the other
passwords.  In order to access all your passwords they would have to
gain access to your database which hopefully isn't being sent to every
site you log in to.

database approach -> Database     + brute force master = All passwords.
hashing  approach -> Any password + brute force master = All passwords.

So in conclusion if your master password is strong enough then it should
be fine, but given any password they can brute force your master.

Again, IMNAC but personally I prefer something like pass/keepass.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140605/70e993f4/attachment.asc>

More information about the Password-Store mailing list