undefined | Better HN

0 pointswoadwarrior016y ago0 comments

Not true. The solution I described would survive a local machine compromise (the GPG key is maintained on the Yubikey), the 1Password based solution won’t. How could generic malware steal secrets that are not even on the device? Furthermore, pass encrypts each password separately (I.e GPG generates a new symmetric key for each password). In case of 1password, if the master password is compromised, it’s game over.

Also, I was a long time 1password user, switched to my current setup after 1Password moved to the rent-seeking subscription business model with 1Password 7.

In terms of convenience, it’s even more convenient than using 1Password. The only minor hitch is having to key in the PIN for the Yubikey if I haven’t used it for a bit.

0 comments

munchbunny5y ago

Your solution doesn't survive a real-time attack on a local machine compromise (wait for you to enter the PIN and then opportunistically use the private key). It only makes doing so harder by automatically re-locking the key.

That said, your system is well past the point of "password storage is no longer the most economical surface to attack".

woadwarrior01OP5y ago

Occasionally entering the PIN + Physical touch on the Yubikey for every decryption call. Since the private key never leaves the Yubikey, every decryption needs a physical touch.

j / k navigate · click thread line to collapse