PSA: critical security vulnerability in third-party pass-compatible software, "QtPass"
Niklas Hambüchen
mail at nh2.me
Thu Jan 4 18:33:21 CET 2018
Hello Jason, thanks for this announcement, I think it's effective and
useful to broadcast that here.
On 04/01/2018 17.35, Jason A. Donenfeld wrote:
> All passwords generated with "QtPass"'s built-in password generator
Would it be possible to have QtPass or any other GUIs of this kind have
`pass` generate the passwords for them? That way, it would always use
whatever method `pass` thinks is best for generating passwords.
It would be really great if GUIs like that could really just be GUIs and
delegate all cryptographically relevant operations to `pass`.
To my knowledge, QtPass, beyond being compatible with pass, already has
an option in the settings to use the `pass` executable for all storage
operations. But it doesn't have an option to make `pass` generate the
passwords.
Does `pass` already have an interface that QtPass could use to let it
generate passwords?
The only info I I've found on this so far is in
https://github.com/IJHack/QtPass/issues/296#issuecomment-281176510,
where the QtPass maintainer says:
"
I'm waiting for the upcoming release of pass which supports a plugin
system and if I recall correctly a straight forward way to select a
password generator too.
"
from February 2017.
More information about the Password-Store
mailing list