undefined | Better HN

0 pointseridius7y ago0 comments

Not only that but this also enables offline attacking of the password. If you can compromise the Keybase server and grab the encrypted passwords, you can then attack it at your leisure with whatever computing power you can scrounge up, over whatever time duration you want. And when you break it, as long as any of the included devices are still on the account, you'd have complete access to everything.

Requiring existing devices to be actively involved in provisioning a new device prevents all of this.

0 comments

2 comments · 1 top-level

Pxtl7y ago· 1 in thread

Ah, that makes more sense.

So in Keybase, what does device to device provisioning look like? "Hey, you've just set up this device - a message has been sent to all your other devices, OK the message and come back here and you'll be good to go"

nickik7y ago

You just scan a QR code. Or if you want to do an offline device you can type in a a set of words that represent the key.

j / k navigate · click thread line to collapse