Adding a trailing line with a random number of space characters also can help.
Best regards, Mikhail Gusarov. On Sat, May 10, 2014 at 2:44 PM, Daniel Schoepe <[email protected]> wrote: > Hi, > > one reason for using a password manager that encrypts its password > store is to avoid to keep the passwords safe even if the password store > itself gets into the wrong hands (e.g. if a laptop is stolen and the > user didn't use hard drive encryption). > > However, at the moment pass seems to leak the length of the passwords > through the file size of the stored passwords. As far as I can tell > the file sizes vary based on the length of the GPG key that is used, > but are only dependent on the password length otherwise. > > For example, a one-character password encrypted with a 2048 RSA key > results in a file size of 324 bytes, a five-character password generates > a file that is 328 bytes long, etc.. I tested this with two different > 2048 bit keys. > > Similarly, for 4096 bit RSA keys, password file sizes start at 580 bytes > and increase by one byte per password character as well. > > If an attacker gets his hands on a password store, this could be > problematic since it decreases the search space for passwords > considerably; especially if they have some offline method of > bruteforcing passwords (e.g. if they obtained the hash of a user's > password from some database). > > I think this is an issue and should be fixed, even though all the fixes > I can see would detract from the simplicity of the current implementation. > > One way to remedy this is the following: When adding a new password one > could generate a random number of bytes and append that, along with > information on how many junk bytes were added, to the entry and discard > them when reading the password. This has the disadvantage of the files > no longer being easily readable/usable without pass. > > I'd like to know if others also think that this is a security issue and > if there are better ways of fixing it. > > Cheers, > Daniel > _______________________________________________ > Password-Store mailing list > [email protected] > http://lists.zx2c4.com/mailman/listinfo/password-store >
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
