Comments
Security Fail: Apple iOS Password Managers
Newest First  |  Oldest First  |  Threaded View
clurey606
50%
50%
clurey606,
User Rank: Apprentice
2/21/2013 | 8:51:36 PM
re: Security Fail: Apple iOS Password Managers
FYI, both researchers at Elcomsoft have since left the company and refuse to update their research findings. "Keeper" rolled out numerous security updates in 2012 to address these issues.
Stuart12345
50%
50%
Stuart12345,
User Rank: Apprentice
11/20/2012 | 1:21:06 AM
re: Security Fail: Apple iOS Password Managers
Why put a lock on a window when most theives will gain entry with the use of a brick through the glass. Sure you can put a wire grill over the glass but there is always some other way to break through.
When 50% of the public don't have a password on their mobile device. Technology security such as Password locks stop the 95% and Password managers stop the 99.9% of theives, they lift the security defences. But nothing will be a 100% secure technology option in a networked and human world with social engineering strategies. Hence why isolated systems are ultimately the best defence for governments and military.
Great article, didn't see KeePass product in the write up.
Gurudatt
50%
50%
Gurudatt,
User Rank: Apprentice
11/13/2012 | 5:55:50 PM
re: Security Fail: Apple iOS Password Managers
How about ForgetPass.com? It does even have a registration and sign in page. And all your passwords are encrypted and stored locally on your computer.
AmazonMAL
50%
50%
AmazonMAL,
User Rank: Apprentice
5/18/2012 | 4:03:10 PM
re: Security Fail: Apple iOS Password Managers
Hello, I am not a security expert, just have a question. Keeper is updating to version 5 soon and they say "We are increasing the encryption levels of the master password and data storage to add additional protection for our users. For those of you who are technically savvy, all password hashes will be encoded with BCrypt, supported with 128-bit AES for all symmetric ciphers."
Will this make the product more secure? Using on device with IOS pass codes.
Stephen Lombardo
50%
50%
Stephen Lombardo,
User Rank: Apprentice
3/22/2012 | 10:41:01 PM
re: Security Fail: Apple iOS Password Managers
I'm one of the developers of STRIP, the password manager that was favorably reviewed by the presenters. This paper was especially important because it exposed a range of serious issues, from apps that don't even encrypt data, to real flaws in crypto implementations. These findings have sparked a lot of interest in STRIP because of it's resilience to password cracking (we've released converters from other less-secure programs, like SplashID : http://getstrip.com/switch).

That said, the premise holds that, regardless of the application used, numeric PIN numbers are not safe. The choice of password is thus very important and a key factor in the overall security of any encryption system, and there just isn't enough entropy in a numeric passcode to render brute force attacks infeasible. With a fast GPU an 8 digit numeric PIN could take a few hours to crack, yet an 8 character random alphanumeric password with meta-characters would take thousands of years.
Khad Young
50%
50%
Khad Young,
User Rank: Apprentice
3/17/2012 | 1:58:42 AM
re: Security Fail: Apple iOS Password Managers
I though it may be prudent to post the email that we sent Matthew earlier which includes a link to our response for the benefit of those following along at home.

---

Hi Matthew, it's good to see tech publications bringing up the topic of security in the mobile space. It's a tough nut to crack in some key ways.

We read your piece and our co-founder wrote a response about how we approach some of these issues as well as some of our plans for updates in the future, including 1Password 4. Could you take a look and let me know if you have any questions?

http://blog.agilebits.com/2012...

I think some of our comments here could serve as a response to some of the issues brought up by Elcomsoft's white paper, but please let me know if you have any questions you would like to ask me or others at AgileBits. We're here to listen and help.

Thanks again, Matthew.

---
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
clurey606
50%
50%
clurey606,
User Rank: Apprentice
3/16/2012 | 11:11:54 PM
re: Security Fail: Apple iOS Password Managers
The app developers should have been contacted prior to the release of this document. There are many statements here which are not accurate and oversimplified.


Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...