Password Safe. Using Bcrypt

[spence91]

I was browsing the TCL forums and saw a request from user 'Netmonad' for a new extension for the 'pwsafe' application.
Here: http://forum.tinycorelinux.net/index.php/topic,13877.0/topicseen.html

It's not immediately obvious what encryption is used, but it got me thinking about what I currently use - a simple text file with usernames and passwords (comma seperated) which is then encrypted with bcrypt - the one that is standard in TCL. I do this because it's simple and compatible with all my electronic devices (android, windows, ARM linux, x86 linux etc etc).

To get a password, I decrypt to stdout and grep. To edit, I decrypt to RAMDisk, edit and then encrypt again, so nothing in plain text gets written to disk.

I'd like to know what people's opinion is on the safety of this, and bcrypt in general.
What do you guys use?

(Edited for clarity.)

[curaga]

I use openssl's blowfish, though my file doesn't contain usernames or passwords, it merely contains lines of "site: password hint".

The safety of your operation sounds good. Remember that bcrypt shreds the original file N times after encrypting, so there is nothing recognizable in your RAM at that spot after power off.

Possible vectors to your operation would be swap, and of course owning the machine.

--

The bcrypt app has one weak point, to gain the 448-bit key it repeats your password until it's long enough. So if your password was "bear" the resulting key would be "bearbearbear..." up to 448 bits.

This is only a downside if you happen to have a cyclic password, then it can be decrypted only using the smallest portion.