password safes for mac

Perry E. Metzger perry at piermont.com
Sun Jun 28 15:15:33 EDT 2009


Thorsten Holz <thorsten.holz at informatik.uni-mannheim.de> writes:
> On 28.06.2009, at 20:34, Perry E. Metzger wrote:
>> The fact that it isn't open source worries me a bit -- it means I
>> can't
>> verify that it does things correctly. Also, it integrates heavily with
>> lots of things, which makes me further worry about bugs. I'm looking
>> for
>> something very simple if possible.
>
> KeePassX (http://www.keepassx.org/) might then be the right tool for
> you. Simple, non-intrusive password manager, everything is open- 
> source, and it is even cross-platform.

Thanks for the tip, I just quickly glanced at the code.

It has problems. Among other things, it only mlocks your session key
itself into memory, leaving both the AES key schedule (oops!) and the
decrypted data (oops!) pageable into swap. (Why bother mlocking the text
of the key if you're not going to lock the key schedule?)

It is also a pretty large program (nearly 28k lines!) written in
C++. (They even created a "SecString" class just for the session key.)
This much code is too big for me to understand and audit for real --
doubtless there are more things I would want to know lurking.

(Of course, this is why I wanted to have something open source to look
at -- I have no idea if 1Password does things like mlocking correctly
and I never will know because it is closed source and thus not amenable
to examination.)


Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list