Revelation password manager issue

Adam Williamson awilliam at redhat.com
Thu Jun 14 18:24:20 UTC 2012 

On Thu, 2012-06-14 at 17:21 +0200, Tomas Mraz wrote:
> On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote: 
> > Hello all,
> > 
> > I suspect this is going to be a weird problem to figure out.
> > 
> > Relevation password manager
> > https://admin.fedoraproject.org/pkgdb/applications/Revelation Password Manager
> > 
> > Has been found to be unsafe.
> > http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
> > 
> > I would hope it gets fixed at some future point, but something should
> > probably be done in the short term.
> > 
> > I'm not sure what Fedora precedent is on issues like this. We can't
> > really revoke such a package, and we also want to give users a warning
> > to use a different password manager (I'm not entirely sure how to best
> > do this).
> > 
> > Does anyone have any thoughts?
> 
> The insecurity of the Revelation db format is not as dire as the blog
> tries to picture it. Sure if you use password with low entropy then it
> is much worse than in case of properly salted PBKDF2 algorithm. But if
> your password contains enough entropy (100 bits or more) it is OK.
> Especially if you do not use it to protect passwords for classified
> materials. :) So perhaps warning to use only strong passwords could be
> added somewhere.

Right. Honestly, as a Revelation user with a ten character password, the
blog post honestly did not make me feel like 'oh shit I need to change
everything immediately'. I don't use Revelation because I consider it
likely that some determined attacker is going to acquire a copy of my
database file (in itself not trivial) and then throw several weeks of
high-end processing power at accessing my password database. I use it
because it's a very effective way of ensuring things like the LinkedIn
password database breach have a very limited impact on me.

I don't think the vulnerability is sufficiently serious to justify
effectively killing the package, if I'm understanding the description
correctly.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list