Revelation password manager issue

Daniel P. Berrange berrange at redhat.com
Fri Jun 15 09:09:46 UTC 2012 

On Thu, Jun 14, 2012 at 11:24:20AM -0700, Adam Williamson wrote:
> On Thu, 2012-06-14 at 17:21 +0200, Tomas Mraz wrote:
> > On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote: 
> > > Hello all,
> > > 
> > > I suspect this is going to be a weird problem to figure out.
> > > 
> > > Relevation password manager
> > > https://admin.fedoraproject.org/pkgdb/applications/Revelation Password Manager
> > > 
> > > Has been found to be unsafe.
> > > http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
> > > 
> > > I would hope it gets fixed at some future point, but something should
> > > probably be done in the short term.
> > > 
> > > I'm not sure what Fedora precedent is on issues like this. We can't
> > > really revoke such a package, and we also want to give users a warning
> > > to use a different password manager (I'm not entirely sure how to best
> > > do this).
> > > 
> > > Does anyone have any thoughts?
> > 
> > The insecurity of the Revelation db format is not as dire as the blog
> > tries to picture it. Sure if you use password with low entropy then it
> > is much worse than in case of properly salted PBKDF2 algorithm. But if
> > your password contains enough entropy (100 bits or more) it is OK.
> > Especially if you do not use it to protect passwords for classified
> > materials. :) So perhaps warning to use only strong passwords could be
> > added somewhere.
> 
> Right. Honestly, as a Revelation user with a ten character password, the
> blog post honestly did not make me feel like 'oh shit I need to change
> everything immediately'. I don't use Revelation because I consider it
> likely that some determined attacker is going to acquire a copy of my
> database file (in itself not trivial) and then throw several weeks of
> high-end processing power at accessing my password database. I use it
> because it's a very effective way of ensuring things like the LinkedIn
> password database breach have a very limited impact on me.

FWIW, I'd recommend KeePassX as an impressive alternative to Revelation,
with much more advanced & flexible functionality

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the devel mailing list