Revelation password manager issue

Tomas Mraz tmraz at
Thu Jun 14 15:21:50 UTC 2012

On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote: 
> Hello all,
> I suspect this is going to be a weird problem to figure out.
> Relevation password manager
> Password Manager
> Has been found to be unsafe.
> I would hope it gets fixed at some future point, but something should
> probably be done in the short term.
> I'm not sure what Fedora precedent is on issues like this. We can't
> really revoke such a package, and we also want to give users a warning
> to use a different password manager (I'm not entirely sure how to best
> do this).
> Does anyone have any thoughts?

The insecurity of the Revelation db format is not as dire as the blog
tries to picture it. Sure if you use password with low entropy then it
is much worse than in case of properly salted PBKDF2 algorithm. But if
your password contains enough entropy (100 bits or more) it is OK.
Especially if you do not use it to protect passwords for classified
materials. :) So perhaps warning to use only strong passwords could be
added somewhere.
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the devel mailing list