Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can use a hash of the site appended with a .pass wide pepper as the name of the directory storing credentials for a particular site, then use a wrapper script that hashes its input before passing it to pass.

Also full disk encryption.



This is all a lot of effort, if I went down that road I might as well skip "pass" and handle the passwords myself. What I like about pass is that there isn't much setup.

Full disk encryption also doesn't prevent a running application from seeing the directory structure. But I guess this is not a very realistic attack vector.


Yes, under that threat model you would lose with all of these password managers.


How so? If the entire directory structure is also encrypted then no program can easily know which sites or services I have passwords for.


I was meaning if your machine was compromised.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: