Pass DBs reveal password lengths + PEBKAC issue
Thibault Polge
thibault at thb.lt
Thu Feb 23 17:53:36 CET 2017
> Not telling you my password length is a form of security through
> obscurity. The strength of the password comes from its length and its
> randomness - not from keeping its length secret.
I partially agree. Iff strong passwords are used, knowledge of the size
of these passwords is no serious help to an attacker. *But* otherwise,
it may /prove/ that a brute-force attack is feasible, give an estimate
of the required effort, and thus help decide if such an attack is worth
doing.
I think the issue is in fact *not* whether pass hides the password
length or not, but whether these intrinsic characteristics are
explicitly documented, and they appear not to be. Not trying to do
anything fancy beyond saving/retrieving little blobs probably makes it a
better player in Unixland, but the implications of this should, IMHO, be
more clearly stated than they actually are.
If the source code of the website is available somewhere, I'd be happy
to provide a patch (I'm assuming some sort of static generator; if it's
written directly in raw HTML, I can propose changes to the HTML itself,
of course).
Best regards,
Thibault
More information about the Password-Store
mailing list