On Tue, 2002-05-07 at 11:37, Jonas V. wrote: > I want to use a password-manager like "Oubliette". > Is this very insecure? > I can choose a very hard master-password with more than 96 bits lenght. > What encryption-algorithm and key-lenght use a program like this?
The problem with password managers is that they become a potential single point of failure. If the developer is not familiar with secure coding practices, this application could lead to the compromise of all your accounts. The application should also use known and tested encryption algorithms (such as Blowfish). Oubliette looks interesting. Using Blowfish and Idea are good choices. Source code is also available which is a definate plus. It would be nice to know if that source code has undergone any kind of review. For example, a friend of mine did some cursory code review of Password Corral (a simular password manager). This review lead to a few changes to its code and later adoption in to a corporate environment. But like any security application, it could probably use additional review. For me, I tend to go for a low-thrills but solid solution; GnuPG (my personal choice) or PGP. Both have undergone considerable review and are very versitile. Of course, if you wish to use a graphical front-end to GnuPG, you may find yourself back to the question of code review for the front-end. Using GnuPG/PGP as a password manager is fairly simple. Create a flat text file with all your account information in it, generate a keypair with a good passphrase, and encrypt that account info file using your private key (be sure to delete the unencrypted version of this file if it wasn't overwritten with the encrypted version). Simple enough. Any time you need to see your account information, decrypt the file. This might be a bit different depending on your implementation and interface. I use a command-line and GnuPG. By default, GnuPG will dump an unencrypted view of the file to the screen without actually overwriting the encrypted file itself (so I don't have to worry about forgetting to re-encrypt the file once I'm done). > Please don't laugh about my english! > I'm german and 12 years old. My German is much worse. Amoung the few things I still remember is "Bitte ein Bit". I think I still have a sticker with that phrase on it in a box somewhere. Ahh well. Tchuss! -- .: Paul Hosking . [EMAIL PROTECTED] .: InfoSec . 408.829.9402 .: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9
