12 comments

[ 4.3 ms ] story [ 38.9 ms ] thread
Tangentially related: The gopher on that site is cool - try hovering it!

Works well on that page - looks good as a static image - but hovering gives a nice "wov" effect.

I personally don't like to name a project like this and to use Gopher logo unless it's a development tools it shouldn't be named after the tech behind it.

It reduces the chance of getting some serius users as it presents the project as a hobby project by a Golang enthusiast.

Useful counterpoint: Hipmunk.
The thing I don't get about pass or gopass is that "each secret lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the secret." Why leak the information that there are passwords for those websites or resources?
Wouldn't that just be security by obscurity if you hide what services you have?
Encrypting something is security by obscurity: the password are hidden, why wouldn't the url be hidden as well, the same way they are for every other password manager?
Why would the URL be hidden? Most people keep their browser histories enabled.
Obscurity can be a useful technique for defense in depth, or even just reducing the noise of drive-by attacks to make it easier to identify the “real” ones. For example, putting SSH on a non-standard port.

But encrypting metadata isn’t “obscurity” at all. It’s strongly protecting sensitive personal information. And it’s table-stakes for a password manager.

“Obscurity” refers to obfuscating data in a way that’s easily reversible by knowing a trick or method. Like the FortiNet XOR with a static key.

“Secured by a high entropy secret and a trusted algorithm” is not obscurity, unless, for example, the key is packaged with the data it is meant to protect in a cute way.

Please don’t parrot phrases if you don’t understand them. “Security by obscurity” is bad when the security is provided only by the obscurity, such as when you have an unauthenticated service running on a hidden port somewhere. Otherwise, obscurity is an essential part of security — the concept of passwords and secret encryption keys rely on obscurity by definition.
Yes, a leak of unencrypted metadata like this is unacceptable.
You can choose what filenames to use. You could theoretically also stick everything inside an encrypted volume.

I don't really understand how that is a big deal though. If at some point an attacker gets to see what filenames are on my hard drive, I have bigger issues than if he knows I have an Amazon account or not.

(comment deleted)