[PATCH] allow user to "pepper", or add to password during retrieval

Paul Erickson paul.d.erickson at gmail.com
Fri Nov 26 18:33:52 UTC 2021

I wonder if anyone else would find this feature useful? If you're not 
familiar with the practice, this guy explains it well:

The gist is: even though using a weak, recycled, memorized password 
alone is not secure, _adding_ one to a strong, generated, persisted 
password enhances security by mitigating the risk that the contents of 
the password store are exposed.

He calls it double-blind password management; I have also heard the 
terms password splitting, secret salting, and peppering. These last two 
are often used in a cryptographic context, but are nonetheless 
applicable here, and I figured "pepper" was short and simple enough for 
a flag.

If you add the `--pepper` or `-p` flag to `show`, then GPG pinentry 
will prompt you for a string/password/pepper—optionally remembering 
it for the session—and append it to the password being retrieved.

Obviously, this cannot mitigate the risk from password-store itself, 
plugins, or clipboard snooping, but I like the convenience of securely 
caching the pepper string and copy-pasting both parts together.

Not done:
- browserpass integration
- config option to cache one pepper for all entries rather than one per 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-show-allow-user-to-pepper-or-add-to-password-during-.patch
Type: text/x-patch
Size: 6082 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20211126/cb0241b5/attachment.bin>

More information about the Password-Store mailing list