Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Aug 2012 21:37:13 -0400 (EDT)
From: "Brad Tilley" <>
Subject: Re: Arstechnica Password article (feat. Matt Weir)


> I can't say that 1Password is the only password manager out there that
> uses a separate key file (there are lots of things out there, even if we
> exclude the snake oil from consideration), but it is the only one that I
> know of.

Solar, I apologize in advance if this is inappropriate, but I felt I had
to respond.

Snake oil? What do you mean by that? Many people consider closed-source
password managers that claim to encrypt and store passwords to be snake
oil. Their encryption is closed-source and unverified. That is the epitome
of snake oil. There is no higher kind of snake oil than that.

You may know that well-regarded software experts who write reliable
open-source software get encryption wrong at times:

As many on this list know, Colin is the FreeBSD Security Office and (as
demonstrated in his post) even he makes mistakes in open-source encryption
code and admits to them and fixes them and moves on. I have nothing
against that. Thank god for developers such as Colin and his code. Tarsnap
is a lesson is clean, well-designed C code that every developer should

But knowing that people such as olin make mistakes, why on earth would
rational people trust a corporation that sells closed source encryption
software to protect their most important digital assets, their passwords?
Why would I want to pay for this snake oil?

I have nothing to sell and nothing to hide. All my source code is public
and you may compile it from scratch and critique it as well. And I think
it's very important to note that JtR is open-source software and many
people who use it value that very much and distrust anything (especial
encryption software) that is closed source and unverified. I know that I

I don't mean to offend anyone, but I feel very strongly about this and I
suspect other here do as well. The term snake-oil should not be throw
around as a general, blanket accusation. If you think something is
snake-oil (such as closed-source, proprietary password managers) then you
ought to name them specifically rather than just imply that some may be
snake-oil while others are not.

I'll state the truth as I see it: all closed-source, unverified passwords
managers that use god knows what type of encryption are snake oil. There,
I said it, and it's true.



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.