On Fri, May 16, 2008 at 11:46:13PM +0200, Moritz Muehlenhoff <[EMAIL PROTECTED]> was heard to say: > Daniel Burrows wrote: > > I notice that pwsafe is linked against openssl. Is it affected by the > > recent debacle and if so, how? Do I need to regenerate all my > > randomized passwords, or somehow re-encrypt the pwsafe database? > > I've looked briefly into it: The Blowfish encryption key is constructed > from a SHA1 built from an initial random value, two zero bytes and the > passphrase. So if an unmodified database created using a broken libssl > copy is exposed to an attacker, it's more open to brute forcing attempts, > but still safe-guarded by the passphrase. > > Fortunately the random part is renewed whenever the database is saved. > By my understanding - I don't use pwsafe myself - this should happen > whever an entry is added or modified.
According to upstream, that's not enoguh :( -- you need to create a new database and merge into it. It looks like someone has put this information into the wiki already. Also, that sinking feeling in my stomach was right: the random passwords you generate in pwsafe were predictable with the broken openssl. So anyone who's relied on the randomization feature of pwsafe needs to reset all their passwords. Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
