On 26.03.2012 17:45, Greg Hudson wrote:
> On 03/26/2012 09:00 AM, C. Michael Pilato wrote:
>> The on-disk cache will contain everything it does today where
>> plaintext caching is enabled, save that the password won't be
>> plaintext, and there will be a bit of known encrypted text (for
>> passphrase validation).
> Is it important to be able to locally validate the passphrase? That
> property intrinsically enables offline dictionary attacks.
I was going to say the same. When I read "known encrypted text" my hair
stood on end. :)
You don't need passphrase validation. If the passphase is wrong, then
the recovered password will be wrong, too. It is bad practice to tell
people that they used the wrong passphrase, and it's even better if you
don't even know that it's wrong.
Received on 2012-03-27 03:05:21 CEST