On 05/06/14 12:28, Santiago Borrazás wrote: > > What do you think about storing password with this approach?
Disclaimer: I am not a cryptographer. I'm a little apprehensive but it doesn't seem too bad to me. If you assume that your hash function is a random oracle and nobody knows your "master" password then it should be perfectly secure. However, if an attacker gains access to a single password they can work out your master password especially if it is weak. (They can brute force it, so if the entropy is high enough this should be impractical) The nice thing about using random strings is that access to any password only lets them into one site with no way to work out the other passwords. In order to access all your passwords they would have to gain access to your database which hopefully isn't being sent to every site you log in to. database approach -> Database + brute force master = All passwords. hashing approach -> Any password + brute force master = All passwords. So in conclusion if your master password is strong enough then it should be fine, but given any password they can brute force your master. Again, IMNAC but personally I prefer something like pass/keepass. Kevin
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
