Pass DBs reveal password lengths + PEBKAC issue
Marin Usalj
marin2211 at gmail.com
Fri Feb 24 00:29:47 CET 2017
I think I agree with Thibault on 1 - there are some sites that just
don't allow big enough passwords, and some places are still using PIN
codes (like certain airlines).
--
Marin
On Thu, Feb 23, 2017, at 12:52 PM, Emil Lundberg wrote:
> If the stored passwords are not strong enough to withstand a brute
> force attack with known cleartext length, that defeats the purpose of
> using a password vault in the first place.
> It is true that the website says nothing of best practices when using
> a password vault, but is it really likely that pass will be the first
> solution a newbie user comes across? I would think a prospective user
> has either used another password vault before, or has used PGP and
> understands basic security best practices that way.
> /Emil
>
> On Thu, 23 Feb 2017, 17:54 Thibault Polge, <thibault at thb.lt> wrote:
>>
>> > Not telling you my password length is a form of security through
>> > obscurity. The strength of the password comes from its length
>> > and its
>> > randomness - not from keeping its length secret.
>>
>> I partially agree. Iff strong passwords are used, knowledge of
>> the size
>> of these passwords is no serious help to an attacker. *But*
>> otherwise,
>> it may /prove/ that a brute-force attack is feasible, give an
>> estimate
>> of the required effort, and thus help decide if such an attack
>> is worth
>> doing.
>>
>> I think the issue is in fact *not* whether pass hides the password
>> length or not, but whether these intrinsic characteristics are
>> explicitly documented, and they appear not to be. Not trying to do
>> anything fancy beyond saving/retrieving little blobs probably
>> makes it a
>> better player in Unixland, but the implications of this should,
>> IMHO, be
>> more clearly stated than they actually are.
>>
>> If the source code of the website is available somewhere, I'd
>> be happy
>> to provide a patch (I'm assuming some sort of static generator;
>> if it's
>> written directly in raw HTML, I can propose changes to the HTML
>> itself,
>> of course).
>>
>> Best regards,
>> Thibault
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/password-store
> _________________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170223/66af1b49/attachment-0001.html>
More information about the Password-Store
mailing list