Pass DBs reveal password lengths + PEBKAC issue

Thibault Polge thibault at thb.lt
Fri Feb 24 14:36:54 CET 2017


> In any case, I agree it should be clearly documented.

Here's a draft of two very short paragraphs that could be added at the
end of the manpage, in a new “Limitations” section, just before “See
also”:

> The hierarchy of password names is stored as a plain text directory
> structure. Pass itself does nothing to conceal the names you give to
> your keys or to the folder structure which contains them.
>
> Pass also does nothing to hide the size of the data it encrypts. The
> design of OpenPGP makes it trivial to compute the length of the
> cleartext from the length of the cyphertext.

I'm not good at nroff stuff, but if there are no objections, I'll try
and send a patch to pass.1

Thanks all for your feedback,
Best regards,
Thibault


More information about the Password-Store mailing list