[pass] totp enhancement

Lenz Weber mail at lenzw.de
Wed Aug 5 16:27:24 CEST 2015


Hi,
maybe it is more accurate to concentrate on the "One Time Password" here
than on the "Two Factor".

If an attacker snoops on the communication, he still has no access, as
the OTP can only be used once (and is already used up), so an OTP is
much more secure than a simple password - even without 2-Factor.
In addition with a normal password, it also makes brute forcing
virtually impossible as you had to guess the OTP and the password - if
you get the OTP right, you have one attempt at the password, then you
have to guess a different OTP.

If you combine that with a GPG Smartcard, you are back to "real"
2-Factor, as the GPG key becomes the second, 'external' factor, but as I
said, even without it, it still is a security improvement against many
attacks.

Regards,
Lenz

Am 05.08.2015 um 15:57 schrieb Alexandre Pujol:
> Hi,
>
> Maybe I'm wrong, but in my opinion it is a mistake to use a password
> manager in order to store OTP secrets.
>
> The aim of an TFA is to increase the auth security requiring the
> combination of two different components. For instance something you
> know (a password) and something you've got (a key, a OTP generated on
> your mobile or on a security device...).
>
> Therefore if you store your OTP secrets in the same place than all
> your passwords it makes the whole thing pointless.
>
> Regards,
> Alex
>
> On 05/08/15 12:50, admin wrote:
>> Hello,
>> I'm apologize for my poor english and my bad code... But I tried to
>> add a functionality to allow password-store to generate a time otp.
>> It's very useful for websites requesting a 2FA totp like google or
>> github. See my fork of the master github password-store :
>> https://github.com/Gambiit/password-store
>> Thanks a lot for password-store, Best regards :)
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>
>
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150805/483a786c/attachment.html>


More information about the Password-Store mailing list