|
|
|
|
|
|
by jc_sec
3116 days ago
|
|
|
Hi, author here... Firstly, this project is open source. If you suspicious of where the data is being stored or my intentions, you are free to fork and run it yourself. That being said.. I am not claiming to have achieved some novel security accomplishment. Yes, this is a simple symmetric encryption using a vetted crypto lib, backed by a key value store, and using UUID4 to generate the links. Its a trade of for convenience and security. It's better than emailing passwords in plaintext and makes security more accessible to folks who dont have the time/incinlination/technical ability to set up keybase and/or estbalish PKI for sharing secrets. Understand the audience this is targeting.. |
|
|
How exactly? The link is completely equivalent to the password from a security perspective. The whole system adds zero security over sending the password in clear text.
At $dayjob we have the help desk staff give initial passwords on a small card in person, and the system forces a change on first use.
For remote users the help desk uses a voice call, calling the user on a number provided by HR, and asking a few questions before giving the initial password.
This system is not uncommon and has been used by organizations for decades without being a commonly exploited vulnerability. It is more secure than pass.sh as it adds physical or at least weak verbal authentication. It is also much simpler, requiring no trusted third parties, and does not expose the secrets on the Internet at all.