On Saturday 25 June 2005 20:30, Itay Duvdevani wrote: > > > > > > Recently I was wondering about applications like Mozilla's Password > > > Manager, KWalletManager and applications of this sort. > > > > > > I assume these applications use encryption to store my passwords on the > > > disk. Unfortunately, the code is open, and I find this sort of > > > protection pretty weak (unless I'm mistaking somewhere along the way). > > > > Sure thing. > > > > That's why you can look your password file using a "master password", or > > using gpg. > > My question was regrading applications that are not password-protected. >
Then your examples (Mozilla password manager and Kwallet) were very poorly chosen. > > Since it is obvious that when I don't use a master password it will be > possible to extract the passwords from my db, I want to prevent the > trivial case or source-lookup (No anti-debugging tricks for the > binary, yet :). > Any decent commercial product that encrypts something will require you to have a key as well. Nobody is stupid enough to think that if the source code is not available the algorithm is secret, and this is why you will never find a serious security solution that has a secret (=password, algorithm, whatever) in the binary. Some people call that "security by obscurity", I call it the Chewbacca defense - it just doesn't make any sense. And all of this has nothing to do with open source. I imagine you wouldn't want to use an encryption algorithm that doesn't break "only if you try the trivial attacks on it" as you put it. If this is the case, don't encrypt it and save yourself the illusion. - Aviram ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
