On Mon 09 Dec 2019 at 18:35:46 -0500, Celejar wrote: > On Mon, 9 Dec 2019 19:34:29 +0000 > Brian <a...@cityscape.co.uk> wrote: > > > On Mon 09 Dec 2019 at 14:10:56 -0500, Celejar wrote: > > ... > > > > Although I almost always use it with its --secure option, since I > > > don't try to memorize passwords, but instead record them (in a plain > > > text file) - who can remember hundreds of passwords? > > > > Indeed. Memorising is part of the password problem. I've indicated a > > possible solution that does not rely on the fallibility of memory in > > another mail. > > > > Your plain text storage method would benefit immensley from using the > > scrypt package. > > I understand that many recommend encrypting the password store, but I > haven't yet done this. 'pass', recommended by Jonas in another message > in this thread, uses gpg to do this, and your recommendation of scrypt, > IIUC, would serve a similar goal.
Except is does not bring with it all the baggage of full disk encryption and gpg and does one thing very well. -- Brian. > I don't want to have to constantly enter a master password to access my > passwords. pass recommends using gpg-agent, but then how much does one > really gain by the encryption? I use full disk encryption (cryptsetup / > LUKS), so the password file is secure at rest, and when I'm actually > using the system, if gpg-agent is used, then anyone with access to the > machine can access the password file anyway. I guess one gets some > additional security in the case where one walks away from > the machine and leaves it running (and an attacker doesn't get there > before gpg-agent evicts the password from the cache), and similar cases. > > I admit that I'm not that familiar with gpg-agent, and am no expert in > the topics under discussion. Please feel free to explain / remind > me of aspects of the issues that I'm missing. > > Celejar >
