Comments
Security Fail: Apple iOS Password Managers
Newest First  |  Oldest First  |  Threaded View
clurey606
50%
50%
clurey606,
User Rank: Apprentice
2/21/2013 | 8:51:36 PM
re: Security Fail: Apple iOS Password Managers
FYI, both researchers at Elcomsoft have since left the company and refuse to update their research findings. "Keeper" rolled out numerous security updates in 2012 to address these issues.
Stuart12345
50%
50%
Stuart12345,
User Rank: Apprentice
11/20/2012 | 1:21:06 AM
re: Security Fail: Apple iOS Password Managers
Why put a lock on a window when most theives will gain entry with the use of a brick through the glass. Sure you can put a wire grill over the glass but there is always some other way to break through.
When 50% of the public don't have a password on their mobile device. Technology security such as Password locks stop the 95% and Password managers stop the 99.9% of theives, they lift the security defences. But nothing will be a 100% secure technology option in a networked and human world with social engineering strategies. Hence why isolated systems are ultimately the best defence for governments and military.
Great article, didn't see KeePass product in the write up.
Gurudatt
50%
50%
Gurudatt,
User Rank: Apprentice
11/13/2012 | 5:55:50 PM
re: Security Fail: Apple iOS Password Managers
How about ForgetPass.com? It does even have a registration and sign in page. And all your passwords are encrypted and stored locally on your computer.
AmazonMAL
50%
50%
AmazonMAL,
User Rank: Apprentice
5/18/2012 | 4:03:10 PM
re: Security Fail: Apple iOS Password Managers
Hello, I am not a security expert, just have a question. Keeper is updating to version 5 soon and they say "We are increasing the encryption levels of the master password and data storage to add additional protection for our users. For those of you who are technically savvy, all password hashes will be encoded with BCrypt, supported with 128-bit AES for all symmetric ciphers."
Will this make the product more secure? Using on device with IOS pass codes.
Stephen Lombardo
50%
50%
Stephen Lombardo,
User Rank: Apprentice
3/22/2012 | 10:41:01 PM
re: Security Fail: Apple iOS Password Managers
I'm one of the developers of STRIP, the password manager that was favorably reviewed by the presenters. This paper was especially important because it exposed a range of serious issues, from apps that don't even encrypt data, to real flaws in crypto implementations. These findings have sparked a lot of interest in STRIP because of it's resilience to password cracking (we've released converters from other less-secure programs, like SplashID : http://getstrip.com/switch).

That said, the premise holds that, regardless of the application used, numeric PIN numbers are not safe. The choice of password is thus very important and a key factor in the overall security of any encryption system, and there just isn't enough entropy in a numeric passcode to render brute force attacks infeasible. With a fast GPU an 8 digit numeric PIN could take a few hours to crack, yet an 8 character random alphanumeric password with meta-characters would take thousands of years.
Khad Young
50%
50%
Khad Young,
User Rank: Apprentice
3/17/2012 | 1:58:42 AM
re: Security Fail: Apple iOS Password Managers
I though it may be prudent to post the email that we sent Matthew earlier which includes a link to our response for the benefit of those following along at home.

---

Hi Matthew, it's good to see tech publications bringing up the topic of security in the mobile space. It's a tough nut to crack in some key ways.

We read your piece and our co-founder wrote a response about how we approach some of these issues as well as some of our plans for updates in the future, including 1Password 4. Could you take a look and let me know if you have any questions?

http://blog.agilebits.com/2012...

I think some of our comments here could serve as a response to some of the issues brought up by Elcomsoft's white paper, but please let me know if you have any questions you would like to ask me or others at AgileBits. We're here to listen and help.

Thanks again, Matthew.

---
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
clurey606
50%
50%
clurey606,
User Rank: Apprentice
3/16/2012 | 11:11:54 PM
re: Security Fail: Apple iOS Password Managers
The app developers should have been contacted prior to the release of this document. There are many statements here which are not accurate and oversimplified.


Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.