search

subdavis / Tusk

🐘 🔒 KeePass-compatible browser extension for filling passwords.
https://subdavis.com/Tusk
Other
468 stars 72 forks source link

Remember master password indefinitely #302

Closed spiral6 closed 5 years ago

spiral6 commented 5 years ago

Feature Request

A feature you'd like to see

CKP used to have the option to remember the master password indefinitely, even when the browser was closed. It was a convenient feature.

subdavis commented 5 years ago

Duplicate of #277

Also note that the CKP feature was dangerous and insecure, and that vulnerability is the only reason tusk exists.

More info:

https://subdavis.com/blog/jekyll/update/2017/01/02/ckp-security-flaw.html

spiral6 commented 5 years ago

I don't agree with your stance, but as the developer, you get the final decision. I requested the feature for convenience, not security. You could solve this issue of storing the master password on disc by using a TOTP/2FA/physical security key such as Yubikey option with a rotating secret key, you would just have to register your browser as a local app for your authenticator of choice.

subdavis commented 5 years ago

How would that work?

Are you suggesting that the master password be encrypted on disk and unlocked with a 2FA code or static string from your yubikey?

This is a different feature and it's logged over at #29

However, the result would be just as dangerous as putting the raw key on disk: enabling a side channel attack where the effort to break your database requires significantly less CPU time than a brute-force.

TOTP codes have less than 20 bits of entropy -- they don't make good cryptographic keys on their own.