Is it safe to store (encrypted) passwords on GitHub?

21

6

I am using pass to handle all my passwords. They are encrypted using GPG with a 4096 bits key, using the SHA256 algorithm. I am using a different password for every login in my password store.

One of pass's cool feature is that everything holds in a folder with a nice hierarchy, which is perfect for setting up a git repo (pass even provides that ability). I would like to have my password store up to date on all my computers.

Is it then safe to push the pass git repository to a private GitHub repository? If not, what's the weak link?

Nicolas Mattia

Posted 2015-10-02T15:06:49.907

Reputation: 331

I would not recommend doing this. One reason, would be that you leave your encrypted password would be subject to offline brute-force attack. – heavyd – 2015-10-02T15:46:59.743

Considering it's a private repo, I would assume (as do GitHub's clients) that no one except GitHub themselves will have access to the repo. Unless, of course, I somehow commit to a wrong repo one day. – Nicolas Mattia – 2015-10-02T16:56:50.680

1Also, no one would have access to the GPG key, so someone would need to break the 4096 bits encryption, which is unlikely even for an offline brute-force attack – Nicolas Mattia – 2015-10-02T17:00:45.787

1Unless they screwed up and the private key password is Password1 ;) just because i brought it up once already today, i'm still thinking superfish using the name of it's company as the password (komodia). It just makes it easier to crack, but still. Stupid mistakes make passwords easier to decrypt. – dakre18 – 2015-10-02T17:54:26.670

@dakre18 level goes from "unlikely to happen" to "funny decryption" – m3nda – 2017-08-02T20:25:45.857

Answers

13

Terse answer

It's ok to put a pass repo github.

Verbose Answer

Your pass repo is GPG encrypted using whatever private key you've selected, so it's as bullet proof as the key you've chosen. Furthermore, your private key is not stored in your pass repo. This means that the private vs. public location of your encrypted password files is not the weak link in your password manager's security. Rather, it's the private key that you've encrypted them with that you have to worry about.

Make sure it's a good key (like the one you've mentioned) and don't expose it to anyone because they won't have to crack that big ol' key to use it. They'll just have to bork your password, and, let's face it, it's really tough to be certain your password is good enough to stop everyone.

So don't let anyone else see your key. If you move your private key to each of your computers that use pass, then you can just pull your pass repo from github and use the private key stored on those computers individually. Now they'll all stay synced and safe.

Two More Things To Consider

The whole point of pass is to keep your passwords encrypted. If you're not ok with them being on github.com, then what you're really relying on is their private location and not their encrypted state. If that's the case, then why encrypt them at all? You could just use the same flat files that pass uses, and not bother encrypting them. That'd be pretty convenient!

Also, keep in mind that making your password manager easier to use means you're less likely to want/need to subvert it. Any time you have to do pass's job for it (e.g. resetting a password on an account because the nice secure one was generated on a different computer and you haven't manually synced yet, but you have to get in right now) you're gonna reduce the security it provides.

Tyler Abair

Posted 2015-10-02T15:06:49.907

Reputation: 410

I think you're making three really good points: 1) the encryption key is not present on the server 2) have someone see my password is the reason why it's encrypted in the first place 3) my clumsy fingers are mostly taken out of the loop. But as @Jens said, then I've got to trust the software. – Nicolas Mattia – 2015-10-02T17:07:16.277

1Pass is simple enough that you're not really trusting Pass, you're trusting PGP. That being said, yes, you still have to trust PGP. My thoughts on that are, why use PGP for anything at all if you don't trust that it encrypts stuff? – Tyler Abair – 2015-10-06T14:07:45.813

7

This will be safe, but exposes you to additional risks compared to not putting your password store in a public place.

  • Accidental upload of unencrypted passwords (you won't do that on purpose, but sure it might not happen by accident, or because of some software bug?)
  • Unknown weaknesses in RSA or the symmetric encryption in use
  • Usage patterns revealed (statistics is powerful)
  • Accidental release of your access token results in public data; if you'd additionally kept that private, you're much safer
  • Worst case is your whole password store history is revealed, compared to only the current one

With other words: if you do not do mistakes, trust the software and the math behind the encryption algorithm stays secure publicly storing the encrypted password store is fine. If you have doubt in any of those (and personally, my trust would be in exactly this order, with lost trust in myself as a user with high confidentiality in the math behind), keep the store private.

Ever posted a private passphrase in some chat window by accident that popped up? I know a bunch of people that did, including myself.

Jens Erat

Posted 2015-10-02T15:06:49.907

Reputation: 14 141

3

This is a good question, since it has been a problem in the past where someone put a private password in a public repository.

Think of it this way, it's good practice to not store that file (along with any other sensitive files) in a public repository, even if it's private. It is good to back it up somewhere, but if lets say your password was retrieved somehow (third party site for example), they could access your github and still retrieve the password. Worst case, but it is still possible. I would usually suggest having some kind of file stored on an external hard drive, and possibly store the hard drive somewhere in-case there's a fire.

If you really want to use a repository or cloud to store it, just do everything you can to keep it safe.

Overall it's not the best idea. It's not the worst, but it's best to think of the "what would happen if?" scenarios. It may never happen to you, but if it did, is it worth the trouble?

Edit: I was thinking of programs in some of my post, so i trimmed it up for you to answer your question better.

dakre18

Posted 2015-10-02T15:06:49.907

Reputation: 315

0

One of pass's cool feature is that everything holds in a folder with a nice hierarchy, which is perfect for setting up a git repo

I think it no safe. For all your account(directory structure) is not encrypted. Only password had been protected by gpg.

(pass even provides that ability)

If do it using pass's ability. Maybe it is more safe. But you need rebuild your store using "pass git init".

utopic eexpress

Posted 2015-10-02T15:06:49.907

Reputation: 43

Asked: 2015-10-02T15:06:49.907

Viewed: 8 908 times

Active: 2017-03-27T03:18:02.040