If the stored passwords are not strong enough to withstand a brute force attack with known cleartext length, that defeats the purpose of using a password vault in the first place.
It is true that the website says nothing of best practices when using a password vault, but is it really likely that pass will be the first solution a newbie user comes across? I would think a prospective user has either used another password vault before, or has used PGP and understands basic security best practices that way. /Emil On Thu, 23 Feb 2017, 17:54 Thibault Polge, <[email protected]> wrote: > > > Not telling you my password length is a form of security through > > obscurity. The strength of the password comes from its length and its > > randomness - not from keeping its length secret. > > I partially agree. Iff strong passwords are used, knowledge of the size > of these passwords is no serious help to an attacker. *But* otherwise, > it may /prove/ that a brute-force attack is feasible, give an estimate > of the required effort, and thus help decide if such an attack is worth > doing. > > I think the issue is in fact *not* whether pass hides the password > length or not, but whether these intrinsic characteristics are > explicitly documented, and they appear not to be. Not trying to do > anything fancy beyond saving/retrieving little blobs probably makes it a > better player in Unixland, but the implications of this should, IMHO, be > more clearly stated than they actually are. > > If the source code of the website is available somewhere, I'd be happy > to provide a patch (I'm assuming some sort of static generator; if it's > written directly in raw HTML, I can propose changes to the HTML itself, > of course). > > Best regards, > Thibault > _______________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store >
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
