Mobile Password Managers … Fail

March 20, 2012
By

Post to Twitter Post to Facebook Post to Reddit

User Entering iPhone PasswordI found this report by ElcomSoft pretty interesting. You know all the password managers we rely on? Well the good folks over at ElcomSoft did an in-depth analysis of those that have mobile phone versions of their apps. Focusing on the iOS and Blackberry OSs, they ended up finding that many of the apps were not worthy of being used over the default device lock feature.

via Net-Security.org

ElcomSoft analyzed 17 popular password management apps available for Apple iOS and BlackBerry platforms, including free and commercially available tools, and discovered that no single password keeper app provides a claimed level of protection.

None of the password keepers except one are utilizing the iOS or BlackBerry existing security model, relying instead on their own implementation of data encryption.

Research shows that those implementations fail to provide an adequate level of protection, allowing an attacker to recover encrypted information in less than a day if user-selectable Master Password is 10 to 14 digits long.

Continued here.

According to InformationWeek.com article the two researchers involved in the study seemed to prefer Strip Lite (free) or mSecure ($10) if you were going to consider protection beyond the recommended OS security mechanisms. Their method of evaluating the apps was a little different than most; for example, they preferred apps that used Blowfish over those that used AES for the simple fact that there were less pre-built crackers out there for Blowfish. I was a little saddened to see my fav tool didn’t get high marks but then it wasn’t totally torn apart like some of the others.

The full list of apps they looked at included the following. The two preferred apps are in green while the researchers referred to the ones in red as the “unsafe triplets” of the ones they tested. Everything else falls in the middle.

iOS Free

  • Keeper Password & Data Vault
  • My Eyes Only – Secure Password Manager
  • Password Safe – iPassSafe free version
  • Strip Lite – Password Manager
  • iSecure Lite Password Manager
  • Secret Folder Lite
  • Ultimate Password Manager Free

iOS Paid

  • 1Password Pro ($15)
  • DataVault Password Manager ($10)
  • LastPass for Premium Customers ($1/month)
  • mSecure – Password Manager ($10)
  • SafeWallet – Password Manager ($4)
  • SplashID Safe for iPhone ($10)

BlackBerry

  • BlackBerry Password Keeper
  • BlackBerry Wallet 1.0
  • BlackBerry Wallet 1.2

Overall, ElcomSoft suggests using the built-in mobile phone OS protection mechanisms instead as that protection is better than any than that these add-on apps can provide. In the case of iOS this means:

  • Configuring your phone to lock and require a passcode to unlock;
  • Configuring your phone backups to be encrypted using a complex password; and
  • Never plug your unlocked device into an untrusted computer.

For the first recommendation I think most of us know that the whole PIN thing should be discarded in place of a full keyboard for complexity reasons. Even if you continue to use all numbers, at least it increases the key space that someone would have to attack. On the Blackberry side ElcomSoft recommends:

  • Configuring the device to require a strong password;
  • Set one of several specific configurations for media card encryption; and
  • Disabling unencrypted backups.

ElcomSoft’s press release and the full whitepaper (PDF) can be found on their website.

#####

What’s your favorite password manager? How did ElcomSoft rate it? Today’s post pic is from CultOfMac.com.

Tags: , , , , ,

9 Responses to Mobile Password Managers … Fail

  1. (@suffert) (@suffert) on March 20, 2012 at 11:06 am

    Mobile Password Managers … Fail http://t.co/CJAuDGJO

  2. (@novainfosec) (@novainfosec) on March 20, 2012 at 4:14 pm

    In case you missed .. Mobile Password Managers … Fail http://t.co/B1rX0XEb

  3. Adam Ely (@adamely) on March 21, 2012 at 12:21 pm

    RT @taylorbanks: RT @acehackware: Mobile Password Managers … Fail http://t.co/D3yaeQgR

  4. (@grecs) (@grecs) on March 21, 2012 at 1:04 pm

    Are Password Managers Worth It? Some reachers think not. http://t.co/pmUcatYo

  5. (@novainfosec) (@novainfosec) on March 21, 2012 at 1:04 pm

    Are Password Managers Worth It? Some reachers think not. http://t.co/B1rX0XEb

  6. (@grecs) (@grecs) on March 22, 2012 at 8:57 am

    BLOGGED: Mobile Password Managers … Fail http://t.co/pmUcatYo

  7. Stephen Lombardo on March 22, 2012 at 6:29 pm

    I’m one of the developers of STRIP, the password manager that was favorably reviewed and recommended at the same conference. The ElcomSoft paper was very interesting in that it exposed a range of serious issues, from apps that don’t even encrypt data, to real flaws in crypto implementations. These findings are far reaching, and have sparked a lot of interest in STRIP because of it’s resilience to password cracking (so much so that we’ve recently released converters from other less-secure programs: http://getstrip.com/switch).

    However, you are quite correct that one of the biggest takeaways, regardless of the application used, is that numeric PIN numbers are NOT safe – there is just not enough entropy in a numeric passcode to make brute force attacks infeasible. With a fast brute force attack an 8 digit numeric PIN could take less than 1 day to crack, yet an 8 character random alphanumeric password with meta-characters would take thousands of years. The choice of password is thus very important and a key factor in the overall security of any encryption system.

  8. Dan Sherman (@0xjudd) on March 22, 2012 at 10:35 pm

    Mobile Password Managers … Fail http://t.co/yyv2efK7

  9. [...] agree that proprietary crypto is a bad thing, but I find fault with articles such as this one where the researchers suggest that using the built in iOS functions are safer than using a password [...]

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.