Re: dropbox security situation
On Mon 09 Dec 2019 at 18:35:46 -0500, Celejar wrote:
> On Mon, 9 Dec 2019 19:34:29 +0000
> Brian <ad44@cityscape.co.uk> wrote:
>
> > On Mon 09 Dec 2019 at 14:10:56 -0500, Celejar wrote:
>
> ...
>
> > > Although I almost always use it with its --secure option, since I
> > > don't try to memorize passwords, but instead record them (in a plain
> > > text file) - who can remember hundreds of passwords?
> >
> > Indeed. Memorising is part of the password problem. I've indicated a
> > possible solution that does not rely on the fallibility of memory in
> > another mail.
> >
> > Your plain text storage method would benefit immensley from using the
> > scrypt package.
>
> I understand that many recommend encrypting the password store, but I
> haven't yet done this. 'pass', recommended by Jonas in another message
> in this thread, uses gpg to do this, and your recommendation of scrypt,
> IIUC, would serve a similar goal.
Except is does not bring with it all the baggage of full disk encryption
and gpg and does one thing very well.
--
Brian.
> I don't want to have to constantly enter a master password to access my
> passwords. pass recommends using gpg-agent, but then how much does one
> really gain by the encryption? I use full disk encryption (cryptsetup /
> LUKS), so the password file is secure at rest, and when I'm actually
> using the system, if gpg-agent is used, then anyone with access to the
> machine can access the password file anyway. I guess one gets some
> additional security in the case where one walks away from
> the machine and leaves it running (and an attacker doesn't get there
> before gpg-agent evicts the password from the cache), and similar cases.
>
> I admit that I'm not that familiar with gpg-agent, and am no expert in
> the topics under discussion. Please feel free to explain / remind
> me of aspects of the issues that I'm missing.
>
> Celejar
>
Reply to: