On Thu, 2012-06-14 at 17:21 +0200, Tomas Mraz wrote: > On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote: > > Hello all, > > > > I suspect this is going to be a weird problem to figure out. > > > > Relevation password manager > > https://admin.fedoraproject.org/pkgdb/applications/Revelation Password Manager > > > > Has been found to be unsafe. > > http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html > > > > I would hope it gets fixed at some future point, but something should > > probably be done in the short term. > > > > I'm not sure what Fedora precedent is on issues like this. We can't > > really revoke such a package, and we also want to give users a warning > > to use a different password manager (I'm not entirely sure how to best > > do this). > > > > Does anyone have any thoughts? > > The insecurity of the Revelation db format is not as dire as the blog > tries to picture it. Sure if you use password with low entropy then it > is much worse than in case of properly salted PBKDF2 algorithm. But if > your password contains enough entropy (100 bits or more) it is OK. > Especially if you do not use it to protect passwords for classified > materials. :) So perhaps warning to use only strong passwords could be > added somewhere. Right. Honestly, as a Revelation user with a ten character password, the blog post honestly did not make me feel like 'oh shit I need to change everything immediately'. I don't use Revelation because I consider it likely that some determined attacker is going to acquire a copy of my database file (in itself not trivial) and then throw several weeks of high-end processing power at accessing my password database. I use it because it's a very effective way of ensuring things like the LinkedIn password database breach have a very limited impact on me. I don't think the vulnerability is sufficiently serious to justify effectively killing the package, if I'm understanding the description correctly. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
