[pass] totp enhancement

Deny Dias deny at macpress.com.br
Wed Aug 5 19:29:26 CEST 2015


Em qua 05 ago 2015, às 16:27:24, Lenz Weber escreveu:
> Hi,
> maybe it is more accurate to concentrate on the "One Time Password" here
> than on the "Two Factor".
> 
> If an attacker snoops on the communication, he still has no access, as
> the OTP can only be used once (and is already used up), so an OTP is
> much more secure than a simple password - even without 2-Factor.
> In addition with a normal password, it also makes brute forcing
> virtually impossible as you had to guess the OTP and the password - if
> you get the OTP right, you have one attempt at the password, then you
> have to guess a different OTP.
> 
> If you combine that with a GPG Smartcard, you are back to "real"
> 2-Factor, as the GPG key becomes the second, 'external' factor, but as I
> said, even without it, it still is a security improvement against many
> attacks.
> 
> Regards,
> Lenz
> 
> Am 05.08.2015 um 15:57 schrieb Alexandre Pujol:
> > Hi,
> >
> > Maybe I'm wrong, but in my opinion it is a mistake to use a password
> > manager in order to store OTP secrets.
> >
> > The aim of an TFA is to increase the auth security requiring the
> > combination of two different components. For instance something you
> > know (a password) and something you've got (a key, a OTP generated on
> > your mobile or on a security device...).
> >
> > Therefore if you store your OTP secrets in the same place than all
> > your passwords it makes the whole thing pointless.
> >
> > Regards,
> > Alex
> >
> > On 05/08/15 12:50, admin wrote:
> >> Hello,
> >> I'm apologize for my poor english and my bad code... But I tried to
> >> add a functionality to allow password-store to generate a time otp.
> >> It's very useful for websites requesting a 2FA totp like google or
> >> github. See my fork of the master github password-store :
> >> https://github.com/Gambiit/password-store
> >> Thanks a lot for password-store, Best regards :)
> >>
> >>
> >> _______________________________________________
> >> Password-Store mailing list
> >> Password-Store at lists.zx2c4.com
> >> http://lists.zx2c4.com/mailman/listinfo/password-store
> >
> >
> >
> > _______________________________________________
> > Password-Store mailing list
> > Password-Store at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/password-store
> 

I may add something to this matter. If password-store is get used by the savvy one, she should have encrypted the GPG key used to encrypt password-store repository with a strong, diceware like passphrase. This is what the user 'know' and should never be stored inside the thing the user 'have'.

In the case that the whole physical machine gets compromised, the attacker still have no clue what the thing the user 'know' is, adds a great deal of complexity to crack, and still makes the new code pretty 2FA.

Deny Dias.


More information about the Password-Store mailing list