On Mon, 9 Dec 2019 19:34:29 +0000 Brian <[email protected]> wrote:
> On Mon 09 Dec 2019 at 14:10:56 -0500, Celejar wrote: ... > > Although I almost always use it with its --secure option, since I > > don't try to memorize passwords, but instead record them (in a plain > > text file) - who can remember hundreds of passwords? > > Indeed. Memorising is part of the password problem. I've indicated a > possible solution that does not rely on the fallibility of memory in > another mail. > > Your plain text storage method would benefit immensley from using the > scrypt package. I understand that many recommend encrypting the password store, but I haven't yet done this. 'pass', recommended by Jonas in another message in this thread, uses gpg to do this, and your recommendation of scrypt, IIUC, would serve a similar goal. I don't want to have to constantly enter a master password to access my passwords. pass recommends using gpg-agent, but then how much does one really gain by the encryption? I use full disk encryption (cryptsetup / LUKS), so the password file is secure at rest, and when I'm actually using the system, if gpg-agent is used, then anyone with access to the machine can access the password file anyway. I guess one gets some additional security in the case where one walks away from the machine and leaves it running (and an attacker doesn't get there before gpg-agent evicts the password from the cache), and similar cases. I admit that I'm not that familiar with gpg-agent, and am no expert in the topics under discussion. Please feel free to explain / remind me of aspects of the issues that I'm missing. Celejar
