undefined | Better HN

0 pointsjbg_8y ago0 comments

"you can lookup which passwords he accessed"

Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?

0 comments

7 comments · 2 top-level

koolba8y ago· 3 in thread

Yep. Or saves the plaintext of the password elsewhere after using it once for a "legit" use.

Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.

crypt1d8y ago

Thats the whole point of audit logs. You lookup the passwords he accessed and only rotate those (vs rotating all of team's shared secrets because you dont know which ones he used/saved/etc).

benchaney8y ago

You're missing the point. The software has no way to tell if a compromised user looked at certain passwords out of band. The audit logs aren't guaranteed to be complete, so you should rotate every key they could have accessed anyway.

raides8y ago

No it actually is not the whole point. Security is never convenient. If you do not have an active password rotation automated for all accounts, even shared, then you should be more worried about an employee reporting you to compliance officers. #justsaying

1 more reply

crypt1d8y ago· 2 in thread

Thats why password managers that do support audit logs (normally) do not provide this kind of mechanism of manually decrypting the file. The only way of accessing passwords would be through whatever interface they came up with.

jbg_OP8y ago

The password manager of course does not "provide" such a mechanism (I imagine providing a "bypass audit logs" button would not be a popular feature). But if you know the key (the master password, or some derivative of it) and you have the ciphertext then you will be able to get the plaintext.

The only way this kind of auditing could be trusted is if all the secrets are stored on the server that implements the auditing, which is exactly the model I believe that most users of `pass` are trying to avoid.

crypt1d8y ago

The whole point of the discussion was to highlight a feature that I was missing here - ability to audit who accessed what.

There will always be a person with admin (or master password) access who can edit logs or bypass them entirely, but this is suppose to be a person who has the final responsibility in the team's 'chain of command'. The audit log exists so that this very admin can monitor the logs for suspicious behavior and clean up the passwords after a team member leaves. Hence, having the ability to decrypt the db with a master password is irrelevant as the master password should only be accessible to the admin.

j / k navigate · click thread line to collapse

0 comments

7 comments · 2 top-level

koolba8y ago· 3 in thread

Yep. Or saves the plaintext of the password elsewhere after using it once for a "legit" use.

Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.

crypt1d8y ago

Thats the whole point of audit logs. You lookup the passwords he accessed and only rotate those (vs rotating all of team's shared secrets because you dont know which ones he used/saved/etc).

benchaney8y ago

raides8y ago

1 more reply

crypt1d8y ago· 2 in thread

jbg_OP8y ago

crypt1d8y ago

The whole point of the discussion was to highlight a feature that I was missing here - ability to audit who accessed what.

j / k navigate · click thread line to collapse