TOTP support in password-store

Reed Loden reed at reedloden.com
Sat Dec 31 00:50:36 CET 2016 

If I compromise your computer, I still get both the password and the TOTP
secret just from a simple keylogger. Not safe.

If you don't want to use your phone, just get a hardware token of some sort
(Yubikey or similar).

~reed

On Fri, Dec 30, 2016 at 3:31 PM Bertrand Jacquin <bertrand at jacquin.bzh>
wrote:

> Well, they don't have to be stored on the password store directory nor
>
> encrypted using the same GPG key.
>
>
>
> On 30/12/2016 23:28, Reed Loden wrote:
>
> > How is that 2FA if both factors are stored on the same media? Seems
>
> > quite insecure to me.
>
> >
>
> > ~reed
>
> >
>
> > On Fri, Dec 30, 2016 at 3:16 PM Bertrand Jacquin
>
> > <bertrand at jacquin.bzh> wrote:
>
> >
>
> >> Hi,
>
> >>
>
> >> Thanks to everyone involve in this really nice password tool you've
>
> >>
>
> >> made, this is something I'm using every day and really enjoy using
>
> >> it.
>
> >>
>
> >> Have you ever considered adding an option to handle TOTP, meaning
>
> >> that the
>
> >>
>
> >> seed could be stored in a gpg file and pass could provide an easy
>
> >> way to get
>
> >>
>
> >> current OTP by using oathtool. For example:
>
> >>
>
> >> $ oathtool -v --base32 --totp XXX
>
> >>
>
> >> Hex secret: YYY
>
> >>
>
> >> Base32 secret: XXX
>
> >>
>
> >> Digits: 6
>
> >>
>
> >> Window size: 0
>
> >>
>
> >> Step size (seconds): 30
>
> >>
>
> >> Start time: 1970-01-01 00:00:00 UTC (0)
>
> >>
>
> >> Current time: 2016-12-18 17:42:53 UTC (1482082973)
>
> >>
>
> >> Counter: 0x2F1D38D (49402765)
>
> >>
>
> >> 799465
>
> >>
>
> >> Thanks you be really handle for me to just run:
>
> >>
>
> >> $ pass show -c --totp Web/gandi.net [1]
>
> >>
>
> >> And being able to paste when Gandi ask for it.
>
> >>
>
> >> Cheers
>
> >>
>
> >> --
>
> >>
>
> >> Bertrand
>
> >>
>
> >> _______________________________________________
>
> >>
>
> >> Password-Store mailing list
>
> >>
>
> >> Password-Store at lists.zx2c4.com
>
> >>
>
> >> https://lists.zx2c4.com/mailman/listinfo/password-store
>
> >
>
> >
>
> > Links:
>
> > ------
>
> > [1] http://gandi.net
>
>
>
> --
>
> Bertrand
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161230/79da0b69/attachment.html>

More information about the Password-Store mailing list