I think I agree with Thibault on 1 - there are some sites that just don't allow big enough passwords, and some places are still using PIN codes (like certain airlines).
-- Marin On Thu, Feb 23, 2017, at 12:52 PM, Emil Lundberg wrote: > If the stored passwords are not strong enough to withstand a brute > force attack with known cleartext length, that defeats the purpose of > using a password vault in the first place. > It is true that the website says nothing of best practices when using > a password vault, but is it really likely that pass will be the first > solution a newbie user comes across? I would think a prospective user > has either used another password vault before, or has used PGP and > understands basic security best practices that way. > /Emil > > On Thu, 23 Feb 2017, 17:54 Thibault Polge, <[email protected]> wrote: >> >> > Not telling you my password length is a form of security through >> > obscurity. The strength of the password comes from its length >> > and its >> > randomness - not from keeping its length secret. >> >> I partially agree. Iff strong passwords are used, knowledge of >> the size >> of these passwords is no serious help to an attacker. *But* >> otherwise, >> it may /prove/ that a brute-force attack is feasible, give an >> estimate >> of the required effort, and thus help decide if such an attack >> is worth >> doing. >> >> I think the issue is in fact *not* whether pass hides the password >> length or not, but whether these intrinsic characteristics are >> explicitly documented, and they appear not to be. Not trying to do >> anything fancy beyond saving/retrieving little blobs probably >> makes it a >> better player in Unixland, but the implications of this should, >> IMHO, be >> more clearly stated than they actually are. >> >> If the source code of the website is available somewhere, I'd >> be happy >> to provide a patch (I'm assuming some sort of static generator; >> if it's >> written directly in raw HTML, I can propose changes to the HTML >> itself, >> of course). >> >> Best regards, >> Thibault >> _______________________________________________ >> Password-Store mailing list >> [email protected] >> https://lists.zx2c4.com/mailman/listinfo/password-store > _________________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
