: The latest release of 1.7.2 fixed a fairly major security hole: In prior versions, if an attacker could write to your ~/.password-store directory, they could exploit a bug in pass' regex to add a new GPG key, potentially granting access to the passwords.

Though rare, it's worth updating ASAP.

Update here:

NOTE: this bug does *not* impact my -gen project, which remains the most secure way to generate passwords.

so you're saying pass-gen generates passwords like


I'd rather type it as st?UY?ld?ST?le?DT?507 because there's less chance of making a typo.
Well, your dictionary is probably bigger than 256 words, so maybe some more variation in case and special chars would be needed to compensate, but still, I prefer using a word as a mnemonic for 1-3 characters rather than typing the whole word.

@Wolf480pl Yes, the current pass-gen default dictionary is bigger than 256 words—it's 8,429 :D

So (since the search space grows exponentially) to get the same/better security you'd need 10 words. Would `st?UY?ld?ST?le?DT?ay?PO?tg?LD?507` still be easier to type?

Maybe it would, but I'd think it'd be harder to say and up the odds of typos.

Nevertheless, it's worth thinking about how pass-gen could support the use of mnemonics. I'll put some thought into it for a future version

@codesections @octobyte
is still easier to type I think.
If I want to say it, I say the full words, not just the letters that I type.
Also, I'll probably never want to say it aloud, because then someone other than me could hear it :P
Also, once it's easier to get such a password into muscle memory than it is with a password containing full words.

@Wolf480pl Hmm, our muscle memory must work differently! I have a much easier time typing out full words that are part of my normal vocabulary than I do typing out (even short) strings of characters that don't form words.

In any event, you've convinced me to add support for some sort of mnemonic-based system. I'll let you know when I've added it.

@codesections Well... if an attacker can write to your ~/.password-store aren't you hacked anyway? Such an attacker can (probably) also write to your ~/.bashrc, and e.g. add malicious gpg binary to your $PATH... At least it would work with me.
@teqwve @codesections It probably addresses issues like SELinux/AppArmor allowing stuff like browser extensions an access to ~/.password-store (basically why I set it up to read-only).

@teqwve Yeah, I tend to agree—it's one of those "this is a vulnerability, but probably only applies if you were already in trouble" issues. (I tend to put any hack that requires extended physical access to your computer in that bucket, too).

That said, there is a use-case of people syncing their ~/.password-store directory across multiple computers using Nextcloud/dropbox/etc. (or even GitHub, if they don't consider their usernames private). So, the vulnerability would matter more to them

@codesections Yeah, I didn't think about slightly more complicated backup / exporting sceneries.
Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.