If there was a password storage tool designed from the jump by a full-time cryptographic engineer, that'd be the one I'd talk about. Let me know if you find one?
Password Safe [1] was designed by Bruce Schneier, that could fit the bill. It seems to have done quite well in the paper cited by xenophonf in [2], too.
Looking the C++ code for this project, this appears to be unauthenticated TwoFish in ECB mode.
(I thought, no, no way is this actually ECB mode, maybe they just did the XOR'ing for CBC mode outside the TwoFish class, but no: they appear to pad blocks explicitly to block boundaries and then ECB them.)
I looked for a total of 4 minutes, so if someone wants to correct me...
ECB mode is only used for the internal keys. The database records are encrypted in CBC mode, and there is an integrity authenticator HMAC as well. However, the format was designed in the days when Mac-then-encrypt was considered proper. So the authentication HMAC is over the plaintext prior to encrypting.
Yes, @tehjh on Twitter pointed this out. The CBC code is in Util.cpp, _readcbc; it appears to be length-delimited instead of padded, so there's probably another error oracle in the decoding of the length/type block.
Also: in PWSfileV3.cpp, are they HMAC'ing the IV?
This is interesting; we might be able to make an exercise out of it.
