Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Tue, 21 Aug 2012 21:37:13 -0400 (EDT)
From: "Brad Tilley" <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)

<snip>

> I can't say that 1Password is the only password manager out there that
> uses a separate key file (there are lots of things out there, even if we
> exclude the snake oil from consideration), but it is the only one that I
> know of.

Solar, I apologize in advance if this is inappropriate, but I felt I had
to respond.

Snake oil? What do you mean by that? Many people consider closed-source
password managers that claim to encrypt and store passwords to be snake
oil. Their encryption is closed-source and unverified. That is the epitome
of snake oil. There is no higher kind of snake oil than that.

You may know that well-regarded software experts who write reliable
open-source software get encryption wrong at times:

http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html

As many on this list know, Colin is the FreeBSD Security Office and (as
demonstrated in his post) even he makes mistakes in open-source encryption
code and admits to them and fixes them and moves on. I have nothing
against that. Thank god for developers such as Colin and his code. Tarsnap
is a lesson is clean, well-designed C code that every developer should
read.

But knowing that people such as olin make mistakes, why on earth would
rational people trust a corporation that sells closed source encryption
software to protect their most important digital assets, their passwords?
Why would I want to pay for this snake oil?

I have nothing to sell and nothing to hide. All my source code is public
and you may compile it from scratch and critique it as well. And I think
it's very important to note that JtR is open-source software and many
people who use it value that very much and distrust anything (especial
encryption software) that is closed source and unverified. I know that I
do.

I don't mean to offend anyone, but I feel very strongly about this and I
suspect other here do as well. The term snake-oil should not be throw
around as a general, blanket accusation. If you think something is
snake-oil (such as closed-source, proprietary password managers) then you
ought to name them specifically rather than just imply that some may be
snake-oil while others are not.

I'll state the truth as I see it: all closed-source, unverified passwords
managers that use god knows what type of encryption are snake oil. There,
I said it, and it's true.

Regards,

Brad

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ