I'm not sure if this is the right forum for this or not but we use a program called "Password Safe" to store the many root passwords we have for our Unix system.

Now we are being called out by our security team to prove that this is a safe program to use. So far I have been able to determine that this program uses the Blowfish encryption algorithm but cannot determine the strength of the encrytpion. All I have found is that Blowfish uses a 64-bit block cipher and has a variable key length of 32 bits to 448 bits. Does anyone know what strength Password Safe is using?

Strength, in relation to a crypto algorithm, is not a quality that has number. Blowfish is considered better than DES by most folks. The 32 bit to 448 bit key length is determed by you. To get stuff out of the safe, the program must prompt you for a password. Is your password 4 characters? If so you are using a 32 bit key. A password that short is easily guessed. Blowfish can handle a 56 character password which is 448 bits.

Actually ascii is a 7 bit code. For most of us, 7 bits is really all we get per password character. Since we probably don't use control characters, it is really less than that. Longer passwords mean more security. That is the real problem with Unix passwords... 8 characters is not enough today.

I hope you're using a nice long password. A statement like: "The program is open source and code is on sourceforge. It uses Blowfish and we use a password that is at least 12 characters." would constitute proof as far as I'm concerned. If they think that is not good enough, I would want to see their proof of that. Rather long passwords in conjunction with proof that Blowfish is in use should be enough to satisfy your security people.