lacsaP Patatetom, > what do you think of https://github.com/lesspass/lesspass ? the > principle seems interesting : it consists in reconstructing the > password from a piece of information (which can be synchronized > easily/simply) and a secret (master password)... regards. i'm not an expert. it's a very nice idea. (probably a lot of us, in the old days, used to have some sort of algorithmic way of contorting a URL to generate a password; but, this is much more sophisticated, and certainly much more secure.) let's say the only vulnerability were for Alice to crack Bob's master password. presumably the difficulty of doing this is the same as cracking Bob's GPG password (that one he uses to encrypt his password store). with lesspass, Alice can now go anywhere Bob has gone and log on. not so good. with, e.g., password-store, Alice also needs to access Bob's encrypted files. (i.e., if Alice over Bob's shoulder as Bob types his password, in lesspass, "she's in"; but not so, with password-store; she still has to find out where he stores his password store, and gain access, which may likely *not* be via Bob's master password.) so, there's a bit of, maybe a lot of (should one be very careful with one's encrypted password store), an advantage there to password-store. the second thing that occurs to me is that the world of multi-dimensional random number spaces can *very seldomly* have very bad properties. (there's a famous 1970'ish paper, something like "The rain in Spain falls mainly on the planes"; for some then-current algorithm, if you rotated the space appropriately and projected "down", you ended up with a discrete set of lower-dimensional points, something like that.) GPG encryption can also suffer from this. but, the level of scrutiny has been very high. again, i'm no expert. just those two random :) thoughts. still, it's a nice idea. and, in practice, i would guess very secure. cheers, Greg
