Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 21 Aug 2012 20:53:45 -0500
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Arstechnica Password article (feat. Matt Weir)

Sorry. I was *not* saying that those I mentioned were snake oil. They emphatically aren't. 

Sent from my iPhone

On Aug 21, 2012, at 8:37 PM, "Brad Tilley" <brad@...ystems.com> wrote:

> <snip>
> 
>> I can't say that 1Password is the only password manager out there that
>> uses a separate key file (there are lots of things out there, even if we
>> exclude the snake oil from consideration), but it is the only one that I
>> know of.
> 
> Solar, I apologize in advance if this is inappropriate, but I felt I had
> to respond.
> 
> Snake oil? What do you mean by that? Many people consider closed-source
> password managers that claim to encrypt and store passwords to be snake
> oil. Their encryption is closed-source and unverified. That is the epitome
> of snake oil. There is no higher kind of snake oil than that.
> 
> You may know that well-regarded software experts who write reliable
> open-source software get encryption wrong at times:
> 
> http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html
> 
> As many on this list know, Colin is the FreeBSD Security Office and (as
> demonstrated in his post) even he makes mistakes in open-source encryption
> code and admits to them and fixes them and moves on. I have nothing
> against that. Thank god for developers such as Colin and his code. Tarsnap
> is a lesson is clean, well-designed C code that every developer should
> read.
> 
> But knowing that people such as olin make mistakes, why on earth would
> rational people trust a corporation that sells closed source encryption
> software to protect their most important digital assets, their passwords?
> Why would I want to pay for this snake oil?
> 
> I have nothing to sell and nothing to hide. All my source code is public
> and you may compile it from scratch and critique it as well. And I think
> it's very important to note that JtR is open-source software and many
> people who use it value that very much and distrust anything (especial
> encryption software) that is closed source and unverified. I know that I
> do.
> 
> I don't mean to offend anyone, but I feel very strongly about this and I
> suspect other here do as well. The term snake-oil should not be throw
> around as a general, blanket accusation. If you think something is
> snake-oil (such as closed-source, proprietary password managers) then you
> ought to name them specifically rather than just imply that some may be
> snake-oil while others are not.
> 
> I'll state the truth as I see it: all closed-source, unverified passwords
> managers that use god knows what type of encryption are snake oil. There,
> I said it, and it's true.
> 
> Regards,
> 
> Brad
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.