On 26.03.2012 17:45, Greg Hudson wrote: > On 03/26/2012 09:00 AM, C. Michael Pilato wrote: >> The on-disk cache will contain everything it does today where >> plaintext caching is enabled, save that the password won't be >> plaintext, and there will be a bit of known encrypted text (for >> passphrase validation). > Is it important to be able to locally validate the passphrase? That > property intrinsically enables offline dictionary attacks.
I was going to say the same. When I read "known encrypted text" my hair stood on end. :) You don't need passphrase validation. If the passphase is wrong, then the recovered password will be wrong, too. It is bad practice to tell people that they used the wrong passphrase, and it's even better if you don't even know that it's wrong. -- Brane
