Hello pass users, I have created a new pass extension pass-audit [1] (yes I like doing them ;) ). As its name shows, it allows you to audit your password's security.
For now, it only supports password breach from haveibeenpwned.com. However, I plan to extend its capabilities shortly to a complete audit program integrated with pass. It has been months I want to create this extension. However, up to now, a system that detects a password breach querying a database of leaked passwords would require either to download an 8GB database or to send your passwords on an untrusted server. Because none of these solutions is practical or secure, I have never spent time in an audit solution. But two days ago, Troy Hunt [5] [6] released the last version of its "pwned" database. The API now supports K-anonymity [7] technique. And it changes (almost) everything. It means only the first five characters of the SHA1 hash of your password is sent to the server and no information regarded the fact your password is breached or not is leaked. In 2018, it offers an acceptable solution. Nevertheless, it is not an entirely secure solution. But as of today, the perfectly safe solution to search data on an untrusted server would require (very) advanced techniques [8] [9] that are not ready for production use. All the releases [2] of pass-audit will be signed using my GPG key [3], and as usual, it is available on the arch user repository [4]. [1] https://github.com/roddhjav/pass-audit [2] https://github.com/roddhjav/pass-audit/releases [3] https://pujol.io/keys/ [4] https://aur.archlinux.org/packages/pass-audit/ [5] https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ [6] https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ [7] https://en.wikipedia.org/wiki/K-anonymity [8] https://en.wikipedia.org/wiki/Oblivious_ram [9] https://en.wikipedia.org/wiki/Private_information_retrieval Regards, Alex
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
