Comments
Security Fail: Apple iOS Password Managers
Newest First  |  Oldest First  |  Threaded View
clurey606
50%
50%
clurey606,
User Rank: Apprentice
2/21/2013 | 8:51:36 PM
re: Security Fail: Apple iOS Password Managers
FYI, both researchers at Elcomsoft have since left the company and refuse to update their research findings. "Keeper" rolled out numerous security updates in 2012 to address these issues.
Stuart12345
50%
50%
Stuart12345,
User Rank: Apprentice
11/20/2012 | 1:21:06 AM
re: Security Fail: Apple iOS Password Managers
Why put a lock on a window when most theives will gain entry with the use of a brick through the glass. Sure you can put a wire grill over the glass but there is always some other way to break through.
When 50% of the public don't have a password on their mobile device. Technology security such as Password locks stop the 95% and Password managers stop the 99.9% of theives, they lift the security defences. But nothing will be a 100% secure technology option in a networked and human world with social engineering strategies. Hence why isolated systems are ultimately the best defence for governments and military.
Great article, didn't see KeePass product in the write up.
Gurudatt
50%
50%
Gurudatt,
User Rank: Apprentice
11/13/2012 | 5:55:50 PM
re: Security Fail: Apple iOS Password Managers
How about ForgetPass.com? It does even have a registration and sign in page. And all your passwords are encrypted and stored locally on your computer.
AmazonMAL
50%
50%
AmazonMAL,
User Rank: Apprentice
5/18/2012 | 4:03:10 PM
re: Security Fail: Apple iOS Password Managers
Hello, I am not a security expert, just have a question. Keeper is updating to version 5 soon and they say "We are increasing the encryption levels of the master password and data storage to add additional protection for our users. For those of you who are technically savvy, all password hashes will be encoded with BCrypt, supported with 128-bit AES for all symmetric ciphers."
Will this make the product more secure? Using on device with IOS pass codes.
Stephen Lombardo
50%
50%
Stephen Lombardo,
User Rank: Apprentice
3/22/2012 | 10:41:01 PM
re: Security Fail: Apple iOS Password Managers
I'm one of the developers of STRIP, the password manager that was favorably reviewed by the presenters. This paper was especially important because it exposed a range of serious issues, from apps that don't even encrypt data, to real flaws in crypto implementations. These findings have sparked a lot of interest in STRIP because of it's resilience to password cracking (we've released converters from other less-secure programs, like SplashID : http://getstrip.com/switch).

That said, the premise holds that, regardless of the application used, numeric PIN numbers are not safe. The choice of password is thus very important and a key factor in the overall security of any encryption system, and there just isn't enough entropy in a numeric passcode to render brute force attacks infeasible. With a fast GPU an 8 digit numeric PIN could take a few hours to crack, yet an 8 character random alphanumeric password with meta-characters would take thousands of years.
Khad Young
50%
50%
Khad Young,
User Rank: Apprentice
3/17/2012 | 1:58:42 AM
re: Security Fail: Apple iOS Password Managers
I though it may be prudent to post the email that we sent Matthew earlier which includes a link to our response for the benefit of those following along at home.

---

Hi Matthew, it's good to see tech publications bringing up the topic of security in the mobile space. It's a tough nut to crack in some key ways.

We read your piece and our co-founder wrote a response about how we approach some of these issues as well as some of our plans for updates in the future, including 1Password 4. Could you take a look and let me know if you have any questions?

http://blog.agilebits.com/2012...

I think some of our comments here could serve as a response to some of the issues brought up by Elcomsoft's white paper, but please let me know if you have any questions you would like to ask me or others at AgileBits. We're here to listen and help.

Thanks again, Matthew.

---
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
clurey606
50%
50%
clurey606,
User Rank: Apprentice
3/16/2012 | 11:11:54 PM
re: Security Fail: Apple iOS Password Managers
The app developers should have been contacted prior to the release of this document. There are many statements here which are not accurate and oversimplified.


Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-14185
PUBLISHED: 2018-05-25
An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8 and 5.2 all versions allows SSL VPN web portal users to access internal FortiOS configuration information (eg:addresses) via specifically crafted URLs inside the SSL-VPN web portal.
CVE-2018-8862
PUBLISHED: 2018-05-25
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
CVE-2018-8864
PUBLISHED: 2018-05-25
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
CVE-2018-8871
PUBLISHED: 2018-05-25
In Delta Electronics Automation TPEditor version 1.89 or prior, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution.
CVE-2017-9641
PUBLISHED: 2018-05-25
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.