Comments
Security Fail: Apple iOS Password Managers
Newest First  |  Oldest First  |  Threaded View
clurey606
50%
50%
clurey606,
User Rank: Apprentice
2/21/2013 | 8:51:36 PM
re: Security Fail: Apple iOS Password Managers
FYI, both researchers at Elcomsoft have since left the company and refuse to update their research findings. "Keeper" rolled out numerous security updates in 2012 to address these issues.
Stuart12345
50%
50%
Stuart12345,
User Rank: Apprentice
11/20/2012 | 1:21:06 AM
re: Security Fail: Apple iOS Password Managers
Why put a lock on a window when most theives will gain entry with the use of a brick through the glass. Sure you can put a wire grill over the glass but there is always some other way to break through.
When 50% of the public don't have a password on their mobile device. Technology security such as Password locks stop the 95% and Password managers stop the 99.9% of theives, they lift the security defences. But nothing will be a 100% secure technology option in a networked and human world with social engineering strategies. Hence why isolated systems are ultimately the best defence for governments and military.
Great article, didn't see KeePass product in the write up.
Gurudatt
50%
50%
Gurudatt,
User Rank: Apprentice
11/13/2012 | 5:55:50 PM
re: Security Fail: Apple iOS Password Managers
How about ForgetPass.com? It does even have a registration and sign in page. And all your passwords are encrypted and stored locally on your computer.
AmazonMAL
50%
50%
AmazonMAL,
User Rank: Apprentice
5/18/2012 | 4:03:10 PM
re: Security Fail: Apple iOS Password Managers
Hello, I am not a security expert, just have a question. Keeper is updating to version 5 soon and they say "We are increasing the encryption levels of the master password and data storage to add additional protection for our users. For those of you who are technically savvy, all password hashes will be encoded with BCrypt, supported with 128-bit AES for all symmetric ciphers."
Will this make the product more secure? Using on device with IOS pass codes.
Stephen Lombardo
50%
50%
Stephen Lombardo,
User Rank: Apprentice
3/22/2012 | 10:41:01 PM
re: Security Fail: Apple iOS Password Managers
I'm one of the developers of STRIP, the password manager that was favorably reviewed by the presenters. This paper was especially important because it exposed a range of serious issues, from apps that don't even encrypt data, to real flaws in crypto implementations. These findings have sparked a lot of interest in STRIP because of it's resilience to password cracking (we've released converters from other less-secure programs, like SplashID : http://getstrip.com/switch).

That said, the premise holds that, regardless of the application used, numeric PIN numbers are not safe. The choice of password is thus very important and a key factor in the overall security of any encryption system, and there just isn't enough entropy in a numeric passcode to render brute force attacks infeasible. With a fast GPU an 8 digit numeric PIN could take a few hours to crack, yet an 8 character random alphanumeric password with meta-characters would take thousands of years.
Khad Young
50%
50%
Khad Young,
User Rank: Apprentice
3/17/2012 | 1:58:42 AM
re: Security Fail: Apple iOS Password Managers
I though it may be prudent to post the email that we sent Matthew earlier which includes a link to our response for the benefit of those following along at home.

---

Hi Matthew, it's good to see tech publications bringing up the topic of security in the mobile space. It's a tough nut to crack in some key ways.

We read your piece and our co-founder wrote a response about how we approach some of these issues as well as some of our plans for updates in the future, including 1Password 4. Could you take a look and let me know if you have any questions?

http://blog.agilebits.com/2012...

I think some of our comments here could serve as a response to some of the issues brought up by Elcomsoft's white paper, but please let me know if you have any questions you would like to ask me or others at AgileBits. We're here to listen and help.

Thanks again, Matthew.

---
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
clurey606
50%
50%
clurey606,
User Rank: Apprentice
3/16/2012 | 11:11:54 PM
re: Security Fail: Apple iOS Password Managers
The app developers should have been contacted prior to the release of this document. There are many statements here which are not accurate and oversimplified.


White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.