Version: (using KDE KDE 3.5.1) Installed from: SuSE RPMs According to the KWallet Handbook, "the wallet subsytem provides a convenient and secure way to manage all your passwords", and that data is saved "in a strongly encrypted file". I'm sorry, but simply stating that the data is "encrypted" doesn't reassure me. Can you please add details to the documentation indicating what method of encryption is used? There are far too many snake-oil cryptography programs out there that use trivially breakable schemes, such as simple ciphers, or simply "security by obscurity". What proof do we have that KWallet is any different from these systems? PGP may be "tedious and inconvenient", as the KWallet manual says, but it also happens to be secure. If I knew that KWallet was using GnuPG (or something similar) as a backend, I would feel a lot safer. On the other hand, if the encryption scheme is just something the KWallet developers dreamed up, then it's almost certainly not safe to use for sensitive data.
George, I just found your paper on KWallet at <http://www.staikos.net/~staikos/papers/2003/kwallet-kastle-2003.ps>. It might refer to a much older version of KWallet, but contains a lot of information useful to people who want to be assured that KWallet is secure. For example, you explain that you use Blowfish, SHA-1, and MD5. It's good to know that you are using standard encryption and hashing functions rather than rolling your own, but this information should go in the KWallet documentation, not hidden on a personal website somewhere. Advanced users won't recommend KWallet to each other or to novice users unless they have this information.
AGREED. 100%.
*** This bug has been confirmed by popular vote. ***
SVN commit 1071214 by jtamate: BUG: 122942 CC: kde-i18n-doc@kde.org Include some more information about how the encrypted data is managed by kwallet. http://reviewboard.kde.org/r/2388/ M +12 -3 index.docbook WebSVN link: http://websvn.kde.org/?view=rev&revision=1071214