Pass DBs reveal password lengths + PEBKAC issue

Thibault Polge thibault at thb.lt
Thu Feb 23 14:51:15 CET 2017


Hi,

I'm not sure, but I believe that `pass`, in its behavior and its
documentation, has some relatively minor security issues which should
probably be addressed.  I'm sorry I really won't have time to do any
work on them, but I thought it would be better to report them anyway.

 1. pass adds absolutely no padding to encrypted keys.  The size of one
    of its *.gpg file is thus in a direct relation with the length, in
    bytes, of the cleartext password.  More specifically, for a given
    key size, the length in bytes of the encrypted password is (gpg file
    size) - n, where n is a constant which depends only on the size of
    the key.  For example, with a 4096 bits key, n is 579.  An empty
    password is stored in a 579 bytes long file, a 10-bytes password in
    a 589bytes files, and so on.

    This directly violates the (reasonable) assumption that access to
    the cyphertext should bring no usable information about the
    plaintext.  In the case of password, I believe length counts as
    usable information.

    The consequence is a serious reduction of the complexity of
    brute-force attacks, especially when the attacker has some knowledge
    of how the user generates their passwords: I haven't done the math,
    but knowing the length of a Diceware password probably seriously
    reduces the # of candidates.

    This issue can be mitigated by adding a padding of random length
    somewhere around the passwords.  A possible workaround would be to
    append "\n" followed by n spaces to the password, where n is a
    random number between, say, 1024 and 2048.

 2. The documentation does nothing to let users know of this limitation,
    and thus some users push their password repositories on public git
    hosting sites, like GitHub.  Yes, this is obviously PEBKAC, but I
    believe that until the previous issue has been addressed (and even
    after that, IMHO), users should be *explicitly* warned against
    pushing their pass repositories to any public location.  An example
    of such a repository can be found here:
    <https://github.com/RaymondSchnyder/PassDB>, and others can easily
    be found with this GitHub search:
    <https://github.com/search?utf8=%E2%9C%93&q=*.gpg+diff%3Dgpg&type=Code&ref=searchresults>.

Thanks to all for this great tool, and my apologies if these problems
have already been reported.

Thibault.


More information about the Password-Store mailing list