PGP, gpg-agent, and KDF criticisms?
trs-80 at isnotmyreal.name
Tue Oct 27 19:48:17 CET 2020
I just joined the mailing list. I have been a long time KeePass user,
but have been looking into pass more recently.
I had an old Issue on KeepassXC GitHub requesting some enhancement,
which the devs did not want to do. Which is fine. I had actually
forgotten all about it, until someone else had bumped it a little more
I then mention in passing (yesterday) that I have been considering
pass, as it is essentially free-form text files with no limits on
what you can put in them, in case anyone else following the issue
wants to expand their options, as I have been thinking about doing.
Pretty quickly thereafter, both of main devs reply with some
criticisms of PGP, gpg-agent, and some other concept (KDF?) which I am
not actually even familiar with. The following are their comments,
which I quote in full:
> Pass offers the barest minimal protections. I would never endorse
> the product because it is very easy to expose all of your secrets to
> any program by using gpg-agent to remember your credentials. There
> is also no concept of a KDF so brute forcing is an option, in fact
> their encryption method is undocumented or at least not readily
> apparent from their website.
> It's PGP, the worst possible way to encrypt stuff in 2020.
Now, I know enough about crypto to know that it is the sort of thing
best left in the hands of people that know more about it than me.
OTOH, I did not think their criticisms of PGP/GPG were really on the
mark (unless they are referring to implementation details, which I
understand are of course important to get right). But there again, I
am but a low level wizard myself, so I thought it best perhaps to pose
this criticism to the mailing list, instead.
More information about the Password-Store