Pass DBs reveal password lengths + PEBKAC issue
Kevin Lyda
kevin at ie.suberic.net
Fri Feb 24 15:12:38 CET 2017
Note that you can store more than just the password. Put the password of
the first line and then put information about the password on the next
lines. That will obscure the length.
Kevin
On Fri, Feb 24, 2017 at 1:39 PM Thibault Polge <thibault at thb.lt> wrote:
> > In any case, I agree it should be clearly documented.
>
> Here's a draft of two very short paragraphs that could be added at the
> end of the manpage, in a new “Limitations” section, just before “See
> also”:
>
> > The hierarchy of password names is stored as a plain text directory
> > structure. Pass itself does nothing to conceal the names you give to
> > your keys or to the folder structure which contains them.
> >
> > Pass also does nothing to hide the size of the data it encrypts. The
> > design of OpenPGP makes it trivial to compute the length of the
> > cleartext from the length of the cyphertext.
>
> I'm not good at nroff stuff, but if there are no objections, I'll try
> and send a patch to pass.1
>
> Thanks all for your feedback,
> Best regards,
> Thibault
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170224/2c765fdb/attachment.html>
More information about the Password-Store
mailing list