Re: [Issue 4145] Master passphrase and encrypted credentials cache

From: Branko Čibej <brane_at_apache.org>
Date: Tue, 27 Mar 2012 03:05:12 +0200

On 26.03.2012 17:45, Greg Hudson wrote:
> On 03/26/2012 09:00 AM, C. Michael Pilato wrote:
>> The on-disk cache will contain everything it does today where
>> plaintext caching is enabled, save that the password won't be
>> plaintext, and there will be a bit of known encrypted text (for
>> passphrase validation).
> Is it important to be able to locally validate the passphrase? That
> property intrinsically enables offline dictionary attacks.

I was going to say the same. When I read "known encrypted text" my hair
stood on end. :)

You don't need passphrase validation. If the passphase is wrong, then
the recovered password will be wrong, too. It is bad practice to tell
people that they used the wrong passphrase, and it's even better if you
don't even know that it's wrong.

-- Brane
Received on 2012-03-27 03:05:21 CEST

This message: [ Message body ]
Next message: Branko Čibej: "Re: Symmetric Merge"
Previous message: Branko Čibej: "Re: Compressed Pristines (Call for Vote)"
In reply to: Greg Hudson: "Re: [Issue 4145] Master passphrase and encrypted credentials cache"
Next in thread: Greg Stein: "Re: [Issue 4145] Master passphrase and encrypted credentials cache"
Reply: Greg Stein: "Re: [Issue 4145] Master passphrase and encrypted credentials cache"
Reply: Daniel Shahaf: "Re: [Issue 4145] Master passphrase and encrypted credentials cache"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]