Pass DBs reveal password lengths + PEBKAC issue

Emil Lundberg lundberg.emil at gmail.com
Thu Feb 23 21:52:57 CET 2017


If the stored passwords are not strong enough to withstand a brute force
attack with known cleartext length, that defeats the purpose of using a
password vault in the first place.

It is true that the website says nothing of best practices when using a
password vault, but is it really likely that pass will be the first
solution a newbie user comes across? I would think a prospective user has
either used another password vault before, or has used PGP and understands
basic security best practices that way.

/Emil

On Thu, 23 Feb 2017, 17:54 Thibault Polge, <thibault at thb.lt> wrote:

>
> > Not telling you my password length is a form of security through
> > obscurity.  The strength of the password comes from its length and its
> > randomness - not from keeping its length secret.
>
> I partially agree.  Iff strong passwords are used, knowledge of the size
> of these passwords is no serious help to an attacker.  *But* otherwise,
> it may /prove/ that a brute-force attack is feasible, give an estimate
> of the required effort, and thus help decide if such an attack is worth
> doing.
>
> I think the issue is in fact *not* whether pass hides the password
> length or not, but whether these intrinsic characteristics are
> explicitly documented, and they appear not to be.  Not trying to do
> anything fancy beyond saving/retrieving little blobs probably makes it a
> better player in Unixland, but the implications of this should, IMHO, be
> more clearly stated than they actually are.
>
> If the source code of the website is available somewhere, I'd be happy
> to provide a patch (I'm assuming some sort of static generator; if it's
> written directly in raw HTML, I can propose changes to the HTML itself,
> of course).
>
> Best regards,
> Thibault
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170223/0aef7023/attachment.html>


More information about the Password-Store mailing list