[PATCH] allow user to "pepper", or add to password during retrieval
paul.d.erickson at gmail.com
Fri Nov 26 18:33:52 UTC 2021
I wonder if anyone else would find this feature useful? If you're not
familiar with the practice, this guy explains it well:
The gist is: even though using a weak, recycled, memorized password
alone is not secure, _adding_ one to a strong, generated, persisted
password enhances security by mitigating the risk that the contents of
the password store are exposed.
He calls it double-blind password management; I have also heard the
terms password splitting, secret salting, and peppering. These last two
are often used in a cryptographic context, but are nonetheless
applicable here, and I figured "pepper" was short and simple enough for
If you add the `--pepper` or `-p` flag to `show`, then GPG pinentry
will prompt you for a string/password/pepper—optionally remembering
it for the session—and append it to the password being retrieved.
Obviously, this cannot mitigate the risk from password-store itself,
plugins, or clipboard snooping, but I like the convenience of securely
caching the pepper string and copy-pasting both parts together.
- browserpass integration
- config option to cache one pepper for all entries rather than one per
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6082 bytes
Desc: not available
More information about the Password-Store