[extension] pass-audit , a pass extension for auditing your password repository.
Alexandre Pujol
alexandre at pujol.io
Sat Feb 24 20:24:33 CET 2018
Hello pass users,
I have created a new pass extension pass-audit [1] (yes I like doing
them ;) ). As its name shows, it allows you to audit your password's
security.
For now, it only supports password breach from haveibeenpwned.com.
However, I plan to extend its capabilities shortly to a complete audit
program integrated with pass.
It has been months I want to create this extension. However, up to now,
a system that detects a password breach querying a database of leaked
passwords would require either to download an 8GB database or to send
your passwords on an untrusted server. Because none of these solutions
is practical or secure, I have never spent time in an audit solution.
But two days ago, Troy Hunt [5] [6] released the last version of its
"pwned" database. The API now supports K-anonymity [7] technique. And it
changes (almost) everything. It means only the first five characters of
the SHA1 hash of your password is sent to the server and no information
regarded the fact your password is breached or not is leaked.
In 2018, it offers an acceptable solution. Nevertheless, it is not an
entirely secure solution. But as of today, the perfectly safe solution
to search data on an untrusted server would require (very) advanced
techniques [8] [9] that are not ready for production use.
All the releases [2] of pass-audit will be signed using my GPG key [3],
and as usual, it is available on the arch user repository [4].
[1] https://github.com/roddhjav/pass-audit
[2] https://github.com/roddhjav/pass-audit/releases
[3] https://pujol.io/keys/
[4] https://aur.archlinux.org/packages/pass-audit/
[5] https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
[6]
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
[7] https://en.wikipedia.org/wiki/K-anonymity
[8] https://en.wikipedia.org/wiki/Oblivious_ram
[9] https://en.wikipedia.org/wiki/Private_information_retrieval
Regards,
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180224/bd847e86/attachment.asc>
More information about the Password-Store
mailing list