Re: dropbox security situation
On Mon, 9 Dec 2019 19:34:29 +0000
Brian <ad44@cityscape.co.uk> wrote:
> On Mon 09 Dec 2019 at 14:10:56 -0500, Celejar wrote:
...
> > Although I almost always use it with its --secure option, since I
> > don't try to memorize passwords, but instead record them (in a plain
> > text file) - who can remember hundreds of passwords?
>
> Indeed. Memorising is part of the password problem. I've indicated a
> possible solution that does not rely on the fallibility of memory in
> another mail.
>
> Your plain text storage method would benefit immensley from using the
> scrypt package.
I understand that many recommend encrypting the password store, but I
haven't yet done this. 'pass', recommended by Jonas in another message
in this thread, uses gpg to do this, and your recommendation of scrypt,
IIUC, would serve a similar goal.
I don't want to have to constantly enter a master password to access my
passwords. pass recommends using gpg-agent, but then how much does one
really gain by the encryption? I use full disk encryption (cryptsetup /
LUKS), so the password file is secure at rest, and when I'm actually
using the system, if gpg-agent is used, then anyone with access to the
machine can access the password file anyway. I guess one gets some
additional security in the case where one walks away from
the machine and leaves it running (and an attacker doesn't get there
before gpg-agent evicts the password from the cache), and similar cases.
I admit that I'm not that familiar with gpg-agent, and am no expert in
the topics under discussion. Please feel free to explain / remind
me of aspects of the issues that I'm missing.
Celejar
Reply to: