Re: [dev] securiy guidance

From: Truls Becken <>
Date: Mon, 5 Mar 2018 13:16:47 +0100

Hi Peter,

I know this is not what you asked about, but there is one other thing people
dislike about pass; the file hierarchy is in plain text. If you can fix that,
you might attract some users.


On Mon, Mar 5, 2018 at 11:06 AM, <> wrote:
> Hello,
> this mail won't be related to any suckless projects, I am looking for
> some guidance/tips. If this isn't a good place for such requests I can
> take a hint.
> Since I stumbled upon (2-3 weeks) I switched to dwm and st,
> read the philosophy and many other pages, browsed through some source
> code, looked up plan 9 in a bit more detail than before, read about 9P,
> the list could go on for a while, you get the idea. I'm not a C
> programmer but decided it's time to try and write something useful.
> Thinking about a good project brought me to password stores. I never
> liked (or trusted) these big fluffy UI-driven password solutions (god
> forbid if they offer cloud syncing and such), so I always sticked with
> pass whenever possible. The only thing I dislike about it is
> piggybacking on gpg, which is big and scary for people who don't use it
> on a daily basis and from my own experience hard to understand and set
> up.
> Contemplating on what a pass-like password manager needs to do, making
> it as simple as possible, there's possibly 3 commands needed
> - init - one-time initialization of the password store, key generation,
> ...
> - set - encrypt a password
> - get - decrypt a password
> The second piece would be a daemon (agent) that caches the master
> password like gpg-agent or ssh-agent does. I don't want to focus on this
> piece until the first one is polished.
> Trying my hands on putting this together got me this far:
> If you bore with me this far (pardon for the longer introduction) I can
> finally ask for some guidance: encryption isn't a topic to be taken
> lightly and I wouldn't like to rely on tips from random people on the
> internet. Storing passwords requires 1 encryption/decryption algorithm.
> Which one to choose? I would like to rely on libc only and am naively
> thinking an encryption/decryption algorithm could be easily copied into
> the current source code.
> If anyone finds it fun to look through some newcomer-level source code
> to give pointers on what should be changed or pinpoint bugs/issues with
> the code I'd be thrilled.
> Thanks in advance and reminding once again - if this is inappropriate
> for this mailing list just say the word. I'm just looking for guidance
> from people who value simplicity and have experience.
> --
> ------------
> Peter Nagy
> ------------
Received on Mon Mar 05 2018 - 13:16:47 CET

This archive was generated by hypermail 2.3.0 : Mon Mar 05 2018 - 13:24:23 CET