Pass DBs reveal password lengths + PEBKAC issue

Marin Usalj marin2211 at gmail.com
Fri Feb 24 00:29:47 CET 2017


I think I agree with Thibault on 1 - there are some sites that just
don't allow big enough passwords, and some places are still using PIN
codes (like certain airlines).


--

Marin







On Thu, Feb 23, 2017, at 12:52 PM, Emil Lundberg wrote:

> If the stored passwords are not strong enough to withstand a brute
> force attack with known cleartext length, that defeats the purpose of
> using a password vault in the first place.
> It is true that the website says nothing of best practices when using
> a password vault, but is it really likely that pass will be the first
> solution a newbie user comes across? I would think a prospective user
> has either used another password vault before, or has used PGP and
> understands basic security best practices that way.
> /Emil



> 

> On Thu, 23 Feb 2017, 17:54 Thibault Polge, <thibault at thb.lt> wrote:

>> 

>> > Not telling you my password length is a form of security through

>>  > obscurity.  The strength of the password comes from its length
>>  > and its
>>  > randomness - not from keeping its length secret.

>> 

>>  I partially agree.  Iff strong passwords are used, knowledge of
>>  the size
>>  of these passwords is no serious help to an attacker.  *But*
>>  otherwise,
>>  it may /prove/ that a brute-force attack is feasible, give an
>>  estimate
>>  of the required effort, and thus help decide if such an attack
>>  is worth
>>  doing.

>> 

>>  I think the issue is in fact *not* whether pass hides the password

>>  length or not, but whether these intrinsic characteristics are

>>  explicitly documented, and they appear not to be.  Not trying to do
>>  anything fancy beyond saving/retrieving little blobs probably
>>  makes it a
>>  better player in Unixland, but the implications of this should,
>>  IMHO, be
>>  more clearly stated than they actually are.

>> 

>>  If the source code of the website is available somewhere, I'd
>>  be happy
>>  to provide a patch (I'm assuming some sort of static generator;
>>  if it's
>>  written directly in raw HTML, I can propose changes to the HTML
>>  itself,
>>  of course).

>> 

>>  Best regards,

>>  Thibault

>>  _______________________________________________

>>  Password-Store mailing list

>> Password-Store at lists.zx2c4.com

>> https://lists.zx2c4.com/mailman/listinfo/password-store

> _________________________________________________

> Password-Store mailing list

> Password-Store at lists.zx2c4.com

> https://lists.zx2c4.com/mailman/listinfo/password-store


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170223/66af1b49/attachment-0001.html>


More information about the Password-Store mailing list