undefined | Better HN

0 pointsphoe-krk3y ago0 comments

Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there. Uploading your whole password tree to a public repository is a bad idea for reasons explicitly mentioned in the article (i.e. pass does not encrypt metadata about the file/directory names, git stores all creation/modification/deletion dates and times).

0 comments

Brian_K_White3y ago

"Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there."

Exactly what I told my Phillipino mother in law to protect her AOL account. I can't imagine why she doesn't do it.

gggggg53y ago

What could possibly make you think that the guy who wrote pass (a git backed command line password manager) gives a shit about whether or not your "Phillipino" mother in law wants to use it?

phoe-krkOP3y ago

That's a strawman. I'm neither your Phillipino mother nor ever suggested that she should be doing this.

Brian_K_White3y ago

There is nothing invalid about the observation. (not a strawman)

1 more reply

gruez3y ago

>Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there.

I'm not sure whether that's actually better than storing it on github (or any other professionally managed git instance). Sure, you gain some security by obscurity (because your VPS isn't a juicy target like github is), but that's about it. If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github. I probably also expect github to do a better job at keeping their systems secure than an amateur sysadmin. In both cases the chance of getting hacked is fairly low, but the whole point of a password manager is that you don't have to rely on the storage service being secure to keep your passwords safe. If you need to rely on the storage service (eg. git server) to be not compromised for your passwords to be safe, then that kills a large benefit of using a password manager.

yellowapple3y ago

> If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github.

And unless that VPS is in the US or provided by a US company, it's unlikely the FBI will get much of a useful response to that letter. Some countries' LEAs cooperate with the FBI and other American LEAs, but not all.

phoe-krkOP3y ago

The VPS does not have my private GPG key, stored locally, and hence cannot use it to decrypt the passwords.

gruez3y ago

Right, but if an attacker has access to the VPS, it can pull off the various shenanigans that's described in the OP? That's the whole thesis of the article. If you have access to the underlying storage of pass (eg. the git instance if you're using git to sync everything), then you can perform some attacks. The attacks aren't catastrophic (ie. attackers being able to decrypt your passwords with no intervention), but they're still pretty bad nonetheless.

1 more reply

j / k navigate · click thread line to collapse

0 comments

Brian_K_White3y ago

"Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there."

Exactly what I told my Phillipino mother in law to protect her AOL account. I can't imagine why she doesn't do it.

gggggg53y ago

What could possibly make you think that the guy who wrote pass (a git backed command line password manager) gives a shit about whether or not your "Phillipino" mother in law wants to use it?

phoe-krkOP3y ago

That's a strawman. I'm neither your Phillipino mother nor ever suggested that she should be doing this.

Brian_K_White3y ago

There is nothing invalid about the observation. (not a strawman)

1 more reply

gruez3y ago

>Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there.

yellowapple3y ago

> If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github.

phoe-krkOP3y ago

The VPS does not have my private GPG key, stored locally, and hence cannot use it to decrypt the passwords.

gruez3y ago

1 more reply

j / k navigate · click thread line to collapse