Revelation password manager issue
Tomas Mraz
tmraz at redhat.com
Thu Jun 14 15:21:50 UTC 2012
On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote:
> Hello all,
>
> I suspect this is going to be a weird problem to figure out.
>
> Relevation password manager
> https://admin.fedoraproject.org/pkgdb/applications/Revelation Password Manager
>
> Has been found to be unsafe.
> http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
>
> I would hope it gets fixed at some future point, but something should
> probably be done in the short term.
>
> I'm not sure what Fedora precedent is on issues like this. We can't
> really revoke such a package, and we also want to give users a warning
> to use a different password manager (I'm not entirely sure how to best
> do this).
>
> Does anyone have any thoughts?
The insecurity of the Revelation db format is not as dire as the blog
tries to picture it. Sure if you use password with low entropy then it
is much worse than in case of properly salted PBKDF2 algorithm. But if
your password contains enough entropy (100 bits or more) it is OK.
Especially if you do not use it to protect passwords for classified
materials. :) So perhaps warning to use only strong passwords could be
added somewhere.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the devel
mailing list