On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote: > Hello all, > > I suspect this is going to be a weird problem to figure out. > > Relevation password manager > https://admin.fedoraproject.org/pkgdb/applications/Revelation Password Manager > > Has been found to be unsafe. > http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html > > I would hope it gets fixed at some future point, but something should > probably be done in the short term. > > I'm not sure what Fedora precedent is on issues like this. We can't > really revoke such a package, and we also want to give users a warning > to use a different password manager (I'm not entirely sure how to best > do this). > > Does anyone have any thoughts? The insecurity of the Revelation db format is not as dire as the blog tries to picture it. Sure if you use password with low entropy then it is much worse than in case of properly salted PBKDF2 algorithm. But if your password contains enough entropy (100 bits or more) it is OK. Especially if you do not use it to protect passwords for classified materials. :) So perhaps warning to use only strong passwords could be added somewhere. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
