Pass DBs reveal password lengths + PEBKAC issue

Niklas Hambüchen mail at nh2.me
Fri Feb 24 02:48:44 CET 2017


I'd like to add that it may be useful for administrators of e.g. company
pass stores to be able to determine the length of the password of a user
without having to know the password. That way, the administrator can
inform the users that their passwords are likely not following good
practices (any more).

In any case, I agree it should be clearly documented.

The fact that some services allow only ridiculously short passwords
can't be mitigated in pass though. The attacker can just look up what
the maximal password length is for the service without even looking at
pass. In fact, if I was an attacker, that's the first thing I'd do
before spending any cycles at brute-forcing: Checking out the max
password lengths of the services I found in your pass wallet.

On 24/02/17 00:29, Marin Usalj wrote:
> I think I agree with Thibault on 1 - there are some sites that just
> don't allow big enough passwords, and some places are still using PIN
> codes (like certain airlines).


More information about the Password-Store mailing list