On Thu, Jun 14, 2012 at 11:24:20AM -0700, Adam Williamson wrote: > On Thu, 2012-06-14 at 17:21 +0200, Tomas Mraz wrote: > > On Thu, 2012-06-14 at 07:40 -0500, Josh Bressers wrote: > > > Hello all, > > > > > > I suspect this is going to be a weird problem to figure out. > > > > > > Relevation password manager > > > https://admin.fedoraproject.org/pkgdb/applications/Revelation Password Manager > > > > > > Has been found to be unsafe. > > > http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html > > > > > > I would hope it gets fixed at some future point, but something should > > > probably be done in the short term. > > > > > > I'm not sure what Fedora precedent is on issues like this. We can't > > > really revoke such a package, and we also want to give users a warning > > > to use a different password manager (I'm not entirely sure how to best > > > do this). > > > > > > Does anyone have any thoughts? > > > > The insecurity of the Revelation db format is not as dire as the blog > > tries to picture it. Sure if you use password with low entropy then it > > is much worse than in case of properly salted PBKDF2 algorithm. But if > > your password contains enough entropy (100 bits or more) it is OK. > > Especially if you do not use it to protect passwords for classified > > materials. :) So perhaps warning to use only strong passwords could be > > added somewhere. > > Right. Honestly, as a Revelation user with a ten character password, the > blog post honestly did not make me feel like 'oh shit I need to change > everything immediately'. I don't use Revelation because I consider it > likely that some determined attacker is going to acquire a copy of my > database file (in itself not trivial) and then throw several weeks of > high-end processing power at accessing my password database. I use it > because it's a very effective way of ensuring things like the LinkedIn > password database breach have a very limited impact on me. FWIW, I'd recommend KeePassX as an impressive alternative to Revelation, with much more advanced & flexible functionality Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
