Support longer passphrases about nitrokey-pro-firmware HOT 11 OPEN

What is the current state of this issue?

I just tried out a Nitrokey Storage 2 and I'm a bit surprised that passwords can only have up to 20 characters. Unfortunately, this is not documented anywhere on the website. In my eyes, the whole purpose of such a hardware secured password manager is to store longer passphrases, which I can't.

The suggested workaround in issue Nitrokey/nitrokey-app#269 to store the password in the login field is a bit shocking to me, as this exposes the secret to bystanders and screenshots/casts. A slightly better solution would be to swap the restrictions: only 20 characters for the login and 32 characters for the password.

In my opionion, a better solution is suggested in Nitrokey/nitrokey-storage-firmware#38 to use a dynamic storage scheme, as users could choose between longer passwords/fields and fewer entries.

from nitrokey-pro-firmware.

@jonathancross See this article, which covers a specific implementation too but also explains the general scheme.

from nitrokey-pro-firmware.

While the Master Password algorithm sounds like a nice feature, I also agree to @jonathancross that this does not solve the aforementioned problem, because people might want to simply store a pre-defined password/passphrase which currently does not fit into the current storage layout.
The Master Password feature would only allow creating new passwords, not to store exisiting ones. Therefore I'm still in favor of the dynamic storage scheme.

from nitrokey-pro-firmware.

Hi! I am sorry, but I do not have any updates on that feature. I would like to leave it open to remind us about this particular feature demand.

from nitrokey-pro-firmware.

Just to show current state - current memory limit for:

• OTP: 512 bytes+
• PWS: 2*512 bytes

Additionally, one USB packet (USB 1.1) cannot take more than 64 bytes of data (of which around 55 are user data).

from nitrokey-pro-firmware.

We are considering to move to a master-password scheme which would have the benefits:

• No synchronization to other systems is necessary, once the master password has been setup once.
• No limit of amount of accounts (leaving meta data beside).
• Long passwords

What do you think?

from nitrokey-pro-firmware.

Thanks @jans23 , can you explain more about how the master-password scheme would work?

from nitrokey-pro-firmware.

Thanks @jans23 Unfortunatly a master-password setup doesn't sound like it would address the original issue -- desire to use / store secure passphrases.

It still might be interesting though.

Would the system also allow users to select characters used in the generated passwords?
Some situations need special chars, others reject them, some symbols are okay, others not, sometimes first character can't be a number, etc.

from nitrokey-pro-firmware.

It depends on how you define "original issue". If it's defined as "securely store login credential" for instance, it would be addressed. I agree, it may require thinking outside of the box and maybe only cover 90% of use cases. But once accepted, it should serve very well.

Special charcters and options: yes.

from nitrokey-pro-firmware.

By "original issue", I meant specifically storing passphrases (4-12 random lowercase words). Also agree with @muellermartin about storing existing passwords (or other sensitive data like a bitcoin private key, etc.)

from nitrokey-pro-firmware.

Are pass phrases (long passwords) still not supported? Or can this be closed?

from nitrokey-pro-firmware.