> Not telling you my password length is a form of security through > obscurity. The strength of the password comes from its length and its > randomness - not from keeping its length secret.
I partially agree. Iff strong passwords are used, knowledge of the size of these passwords is no serious help to an attacker. *But* otherwise, it may /prove/ that a brute-force attack is feasible, give an estimate of the required effort, and thus help decide if such an attack is worth doing. I think the issue is in fact *not* whether pass hides the password length or not, but whether these intrinsic characteristics are explicitly documented, and they appear not to be. Not trying to do anything fancy beyond saving/retrieving little blobs probably makes it a better player in Unixland, but the implications of this should, IMHO, be more clearly stated than they actually are. If the source code of the website is available somewhere, I'd be happy to provide a patch (I'm assuming some sort of static generator; if it's written directly in raw HTML, I can propose changes to the HTML itself, of course). Best regards, Thibault _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
