question on security
Ben Oliver
ben at bfoliver.com
Sun Jan 28 11:06:42 CET 2018
On 18-01-28 10:25:31, Greg Minshall wrote:
>hi. thanks very much to the responsible parties for password-store,
>which i'm happily using on lubuntu.
>
>i'm attracted to somehow synchronizing with my iphone. the solution
>(that i've seen) uses git for synchronizing.
>
>this tickles something that's worried me a bit since i started looking
>at pass, which is, i *worry* that the security of exposing lots of tiny,
>"known-format" (more or less) files, all encrypted with the same key,
>may be less secure than exposing one large, known-format, file,
>encrypted with that same key.
>
>(this is my intuition speaking to me and, of course, *my* intuition,
>especially w.r.t. security, is infallible... :)
>
>does anyone have any opinions/numbers/facts?
>
>cheers, Greg
This is one of the main 'weaknesses' with pass - it exposes all of the
file names and therefore (for most people I presume) website names.
There are ways around this but I'm not sure they work on iPhone.
It's a risk I'm willing to take if the tradeoff is the excellent
usability and simple, transparent mechanism pass uses to encrypt and
send files.
One thing I like about using gpg as a solution is that you can encrypt
with multiple keys. This means you don't need to use the same key on
your phone as on your PC.
More information about the Password-Store
mailing list