[pass] Pass leaks password lengths through file sizes
daniel at schoepe.org
Sat May 10 14:44:57 CEST 2014
one reason for using a password manager that encrypts its password
store is to avoid to keep the passwords safe even if the password store
itself gets into the wrong hands (e.g. if a laptop is stolen and the
user didn't use hard drive encryption).
However, at the moment pass seems to leak the length of the passwords
through the file size of the stored passwords. As far as I can tell
the file sizes vary based on the length of the GPG key that is used,
but are only dependent on the password length otherwise.
For example, a one-character password encrypted with a 2048 RSA key
results in a file size of 324 bytes, a five-character password generates
a file that is 328 bytes long, etc.. I tested this with two different
2048 bit keys.
Similarly, for 4096 bit RSA keys, password file sizes start at 580 bytes
and increase by one byte per password character as well.
If an attacker gets his hands on a password store, this could be
problematic since it decreases the search space for passwords
considerably; especially if they have some offline method of
bruteforcing passwords (e.g. if they obtained the hash of a user's
password from some database).
I think this is an issue and should be fixed, even though all the fixes
I can see would detract from the simplicity of the current implementation.
One way to remedy this is the following: When adding a new password one
could generate a random number of bytes and append that, along with
information on how many junk bytes were added, to the entry and discard
them when reading the password. This has the disadvantage of the files
no longer being easily readable/usable without pass.
I'd like to know if others also think that this is a security issue and
if there are better ways of fixing it.
More information about the Password-Store