diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2015-04-19 12:16:59 +0200 |
---|---|---|
committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2015-04-19 12:32:19 +0200 |
commit | 3f26c153662f6f27277abff889030d79e57c1924 (patch) | |
tree | 6e1cbe26e8e023c38db79d0470f53515fe118027 | |
parent | 9cf684177f400500f032f422130044382370c02e (diff) |
Add some thoughts on security.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
-rw-r--r-- | README.md | 25 |
1 files changed, 25 insertions, 0 deletions
@@ -3,6 +3,31 @@ qtpass QtPass is a gui for [pass](http://www.passwordstore.org/) +Security considerations +----------------------- +Using this program will not magically keep your passwords secure against +compromised computers even if you use it in combination with a smartcard. +It does protect future and changed passwords though against anyone with access to +your password store only but not your keys. +Used with a smartcard it also protects against anyone just monitoring/copying +all files/keystrokes on that machine and such an attacker would only gain access +to the passwords you actually use. +Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298 +even without your PIN) all your passwords available to the machine can be +decrypted by it, if there is malicious software targeted specifically against +it installed (or at least one that knows how to use a smartcard). +To get better protection out of use with a smartcard even against a targeted +attack I can think of at least two options: +* The smartcard must require explicit confirmation for each decryption operation. + Or if it just provides a counter for decrypted data you could at least notice + an attack afterwards, though at quite some effort on your part. +* Use a different smartcard for each (group of) key. +* If using a YubiKey or U2F module or similar that requires a "button" press for + other authentication methods you can use one OTP/U2F enabled WebDAV account per + password (or groups of passwords) as a quite inconvenient workaround. + Unfortunately I do not know of any WebDAV service with OTP support except ownCloud + (so you would have to run your own server). + Current state ------------- * Using pass or directly with git and gpg2 |