I found this report by ElcomSoft pretty interesting. You know all the password managers we rely on? Well the good folks over at ElcomSoft did an in-depth analysis of those that have mobile phone versions of their apps. Focusing on the iOS and Blackberry OSs, they ended up finding that many of the apps were not worthy of being used over the default device lock feature.
ElcomSoft analyzed 17 popular password management apps available for Apple iOS and BlackBerry platforms, including free and commercially available tools, and discovered that no single password keeper app provides a claimed level of protection.
None of the password keepers except one are utilizing the iOS or BlackBerry existing security model, relying instead on their own implementation of data encryption.
Research shows that those implementations fail to provide an adequate level of protection, allowing an attacker to recover encrypted information in less than a day if user-selectable Master Password is 10 to 14 digits long.
According to InformationWeek.com article the two researchers involved in the study seemed to prefer Strip Lite (free) or mSecure ($10) if you were going to consider protection beyond the recommended OS security mechanisms. Their method of evaluating the apps was a little different than most; for example, they preferred apps that used Blowfish over those that used AES for the simple fact that there were less pre-built crackers out there for Blowfish. I was a little saddened to see my fav tool didn’t get high marks but then it wasn’t totally torn apart like some of the others.
The full list of apps they looked at included the following. The two preferred apps are in green while the researchers referred to the ones in red as the “unsafe triplets” of the ones they tested. Everything else falls in the middle.
- Keeper Password & Data Vault
- My Eyes Only – Secure Password Manager
- Password Safe – iPassSafe free version
- Strip Lite – Password Manager
- iSecure Lite Password Manager
- Secret Folder Lite
- Ultimate Password Manager Free
- 1Password Pro ($15)
- DataVault Password Manager ($10)
- LastPass for Premium Customers ($1/month)
- mSecure – Password Manager ($10)
- SafeWallet – Password Manager ($4)
- SplashID Safe for iPhone ($10)
- BlackBerry Password Keeper
- BlackBerry Wallet 1.0
- BlackBerry Wallet 1.2
Overall, ElcomSoft suggests using the built-in mobile phone OS protection mechanisms instead as that protection is better than any than that these add-on apps can provide. In the case of iOS this means:
- Configuring your phone to lock and require a passcode to unlock;
- Configuring your phone backups to be encrypted using a complex password; and
- Never plug your unlocked device into an untrusted computer.
For the first recommendation I think most of us know that the whole PIN thing should be discarded in place of a full keyboard for complexity reasons. Even if you continue to use all numbers, at least it increases the key space that someone would have to attack. On the Blackberry side ElcomSoft recommends:
- Configuring the device to require a strong password;
- Set one of several specific configurations for media card encryption; and
- Disabling unencrypted backups.
What’s your favorite password manager? How did ElcomSoft rate it? Today’s post pic is from CultOfMac.com.