|
|
|
|
|
|
by dkbrk
4031 days ago
|
|
|
I think it's important to point out that whether something like this matters depends entirely on your security model. For example, an attacker learning that I have a gmail account isn't very useful information, so I don't consider it confidential. This is a property of most of my credentials. The way pass is built on top of gpg encrypted files in git is at the core of its robustness and simplicity. Creating an encrypted, version controlled store from scratch would be a not insignificant engineering effort, though something similar could be accomplished, for example, by putting the password store inside encfs. If the mere existence of a credential is considered confidential information, a simple measure to bypass this flaw is to give it a meaningless randomly generated name such as "faithful_iceberg". |
|
|