I'm wondering how secure the saved password is.
Here is my doubt for it:
- gnubiff encrypts the password using AES.
- Although AES is still thought to be a secure algorithm, the implementation with gnubiff may be not.
- since gnubiff does decrypt the password on its own, it must have the key in its source code.
- the source code is open for everybody to read.
-> therefore, one can obtain the password encryption key from gnubiff, and having broken into my account,
can use it to obtain my password from the .gnubiffrc file.
(the password used for my account must not be the same as the password used for gnubiff; also, there
are ways to get access to .gnubiffrc without having to know the password for my account.)
What do you think of my chain of reasoning? Can you give a clue that gnubiff passwords are stored savely,
despite of my objections?
Log in to post a comment.