Pass DBs reveal password lengths + PEBKAC issue
Thibault Polge
thibault at thb.lt
Fri Feb 24 14:36:54 CET 2017
> In any case, I agree it should be clearly documented.
Here's a draft of two very short paragraphs that could be added at the
end of the manpage, in a new “Limitations” section, just before “See
also”:
> The hierarchy of password names is stored as a plain text directory
> structure. Pass itself does nothing to conceal the names you give to
> your keys or to the folder structure which contains them.
>
> Pass also does nothing to hide the size of the data it encrypts. The
> design of OpenPGP makes it trivial to compute the length of the
> cleartext from the length of the cyphertext.
I'm not good at nroff stuff, but if there are no objections, I'll try
and send a patch to pass.1
Thanks all for your feedback,
Best regards,
Thibault
More information about the Password-Store
mailing list