Date: Tue, 21 Aug 2012 21:37:13 -0400 (EDT) From: "Brad Tilley" <brad@...ystems.com> To: john-users@...ts.openwall.com Subject: Re: Arstechnica Password article (feat. Matt Weir) <snip> > I can't say that 1Password is the only password manager out there that > uses a separate key file (there are lots of things out there, even if we > exclude the snake oil from consideration), but it is the only one that I > know of. Solar, I apologize in advance if this is inappropriate, but I felt I had to respond. Snake oil? What do you mean by that? Many people consider closed-source password managers that claim to encrypt and store passwords to be snake oil. Their encryption is closed-source and unverified. That is the epitome of snake oil. There is no higher kind of snake oil than that. You may know that well-regarded software experts who write reliable open-source software get encryption wrong at times: http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html As many on this list know, Colin is the FreeBSD Security Office and (as demonstrated in his post) even he makes mistakes in open-source encryption code and admits to them and fixes them and moves on. I have nothing against that. Thank god for developers such as Colin and his code. Tarsnap is a lesson is clean, well-designed C code that every developer should read. But knowing that people such as olin make mistakes, why on earth would rational people trust a corporation that sells closed source encryption software to protect their most important digital assets, their passwords? Why would I want to pay for this snake oil? I have nothing to sell and nothing to hide. All my source code is public and you may compile it from scratch and critique it as well. And I think it's very important to note that JtR is open-source software and many people who use it value that very much and distrust anything (especial encryption software) that is closed source and unverified. I know that I do. I don't mean to offend anyone, but I feel very strongly about this and I suspect other here do as well. The term snake-oil should not be throw around as a general, blanket accusation. If you think something is snake-oil (such as closed-source, proprietary password managers) then you ought to name them specifically rather than just imply that some may be snake-oil while others are not. I'll state the truth as I see it: all closed-source, unverified passwords managers that use god knows what type of encryption are snake oil. There, I said it, and it's true. Regards, Brad
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.