question on security

Ben Oliver ben at
Sun Jan 28 11:06:42 CET 2018

On 18-01-28 10:25:31, Greg Minshall wrote:
>hi.  thanks very much to the responsible parties for password-store,
>which i'm happily using on lubuntu.
>i'm attracted to somehow synchronizing with my iphone.  the solution
>(that i've seen) uses git for synchronizing.
>this tickles something that's worried me a bit since i started looking
>at pass, which is, i *worry* that the security of exposing lots of tiny,
>"known-format" (more or less) files, all encrypted with the same key,
>may be less secure than exposing one large, known-format, file,
>encrypted with that same key.
>(this is my intuition speaking to me and, of course, *my* intuition,
>especially w.r.t. security, is infallible... :)
>does anyone have any opinions/numbers/facts?
>cheers, Greg

This is one of the main 'weaknesses' with pass - it exposes all of the 
file names and therefore (for most people I presume) website names.  
There are ways around this but I'm not sure they work on iPhone.

It's a risk I'm willing to take if the tradeoff is the excellent 
usability and simple, transparent mechanism pass uses to encrypt and 
send files.

One thing I like about using gpg as a solution is that you can encrypt 
with multiple keys. This means you don't need to use the same key on 
your phone as on your PC.

More information about the Password-Store mailing list