codesections is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
codesections @codesections

: The latest release of 1.7.2 fixed a fairly major security hole: In prior versions, if an attacker could write to your ~/.password-store directory, they could exploit a bug in pass' regex to add a new GPG key, potentially granting access to the passwords.

Though rare, it's worth updating ASAP.

Update here:

NOTE: this bug does *not* impact my -gen project, which remains the most secure way to generate passwords.

so you're saying pass-gen generates passwords like


I'd rather type it as st?UY?ld?ST?le?DT?507 because there's less chance of making a typo.
Well, your dictionary is probably bigger than 256 words, so maybe some more variation in case and special chars would be needed to compensate, but still, I prefer using a word as a mnemonic for 1-3 characters rather than typing the whole word.

@Wolf480pl @octobyte Yes, the current pass-gen default dictionary is bigger than 256 words—it's 8,429 :D

So (since the search space grows exponentially) to get the same/better security you'd need 10 words. Would `st?UY?ld?ST?le?DT?ay?PO?tg?LD?507` still be easier to type?

Maybe it would, but I'd think it'd be harder to say and up the odds of typos.

Nevertheless, it's worth thinking about how pass-gen could support the use of mnemonics. I'll put some thought into it for a future version

@octobyte @codesections then why memorize it? If I don't need to type it, I just openssl rand -base64 24

@Wolf480pl @octobyte Then intended use case is for passwords that you *probably* won't need to type, but might need to on occasion.

(It got started when I was logging onto a service on my phone that (inexplicably) wouldn't let me paste a password, which is bad security practice but still happens. But there are lots of other times when typing/saying might be required, including working with a computer that without your passwords on it or verifying your identity over the phone)

@codesections @octobyte
is still easier to type I think.
If I want to say it, I say the full words, not just the letters that I type.
Also, I'll probably never want to say it aloud, because then someone other than me could hear it :P
Also, once it's easier to get such a password into muscle memory than it is with a password containing full words.

@Wolf480pl @octobyte Hmm, our muscle memory must work differently! I have a much easier time typing out full words that are part of my normal vocabulary than I do typing out (even short) strings of characters that don't form words.

In any event, you've convinced me to add support for some sort of mnemonic-based system. I'll let you know when I've added it.

@codesections Well... if an attacker can write to your ~/.password-store aren't you hacked anyway? Such an attacker can (probably) also write to your ~/.bashrc, and e.g. add malicious gpg binary to your $PATH... At least it would work with me.
@teqwve @codesections It probably addresses issues like SELinux/AppArmor allowing stuff like browser extensions an access to ~/.password-store (basically why I set it up to read-only).

@teqwve Yeah, I tend to agree—it's one of those "this is a vulnerability, but probably only applies if you were already in trouble" issues. (I tend to put any hack that requires extended physical access to your computer in that bucket, too).

That said, there is a use-case of people syncing their ~/.password-store directory across multiple computers using Nextcloud/dropbox/etc. (or even GitHub, if they don't consider their usernames private). So, the vulnerability would matter more to them

@codesections Yeah, I didn't think about slightly more complicated backup / exporting sceneries.