Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

timothy posted more than 2 years ago | from the security-is-a-four-letter-word dept.

Blackberry 48

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."

cancel ×

48 comments

Sorry! There are no comments related to the filter you selected.

Smartphones, HA. (-1, Troll)

Ethanol-fueled (1125189) | more than 2 years ago | (#39386013)

Smartyphone users should be smacked in their mouths with rolled-up newspapers.

Re:Smartphones, HA. (-1)

Anonymous Coward | more than 2 years ago | (#39386241)

Smartyphone users should be smacked in their mouths with rolled-up newspapers.

Nah there's people a lot dumber than smartphone users. Like liberals. Not talkin about classical liberals, we call those libertarians today. Just regular modern liberals.

A liberal is: somebody who sees how corrupt, incompetent and downright evil our government is, sees all of that, and then says "say, we need to give them more power and let them control more things because somehow that'll all work out great!" How can anybody be so stupid?

Re:Smartphones, HA. (-1)

Anonymous Coward | more than 2 years ago | (#39386353)

Motherfuckers with Obama2012 bumper stickers on their cars(mostly Priuses) should be smacked in their mouths wtih rolled-up newspapers.

Modern liberals are just goddamn welfare queens or elite upper and upper-middle class welfare-queen lovers who have the ivory-tower vantage points and don't have to worry about rising tuition costs(community college is going to be $46 a unit next semester) because the local campus wanted a new $300,000/yr "diversity" director or letting the illegal spics have carte blanche going apeshit with taxpayer money (DREAM act) to get free rides through college while students with middle-class parents are stuck with the bill.

Fuck those punk motherfuckers. Throw the illegals the fuck out. Make 'em stand in line(not the unemployment line) and play by the rules. California is in deficit because the goddamn leeches are, fiscally and culturally, draining the lifeblood out of the richest, best state in the union.

While we're at it, throw all of the fuckin' social conservatives out. They want to live in the 14th century, then they can go frolic in rural Kentucky or Mississippi. I don't know about you all, but I want to smoke pot. And I want to do it without being busted. And I want homosexuals to get married and have the buttsex. And I want the living fuck taxed out of the rich. There's a reason why people pay big money to live in California - because they can't get "that" anywhere else. And if high taxes cause them to leave, boo fucking hoo - then the rich who are willing to pay those taxes will move in, and property values will drop because all of the misers are moving out. And boo-fucking-hoo to you if you paid $750K for a house that was only really worth $300K - people like you are the chum of the real estate business, ground up for others to feed on your remains. Landlords are fucking scum anyway.

Come to think of it, this country as a whole is not worth saving. California, Oregon, and Washington should unite and secede from the union, kicking out all of the illegals, expatriates, and feds. We're better than to be dragged down with that sinking, stinking cesspool run by Capitol Hill.

-- Ethanol-fueled

Re:Smartphones, HA. (0)

GmExtremacy (2579091) | more than 2 years ago | (#39386365)

The real question is this: why haven't you switched to Gamemaker yet? Are you perhaps missing some gigabits on your puter...?

Re:Smartphones, HA. (1)

jmcvetta (153563) | more than 2 years ago | (#39387719)

Awww dude, put your name to it! There's so much that you said that's just right, and yet so much you said that's just asininely wrong.. but who wants to debate an AC?

My scheme (1)

Anonymous Coward | more than 2 years ago | (#39386019)

I just add my ss # and phone number and bam - secure unforgettable password!

Re:My scheme (1)

DMUTPeregrine (612791) | more than 2 years ago | (#39386439)

Bah, that's too easy to discover! I use really secret values that nobody knows, like a secret number where the ratio of the sum of the the secret number plus one is equal to the ratio of the secret number to one. No one has ever used it, and nobody else has the mathematical genius to calculate it!

WTH (1)

Anonymous Coward | more than 2 years ago | (#39386021)

Glenn Fleishman does understand that encrypted data should be safe even in the hands of the enemy? Also, totally didn't read that article.

Re:WTH (2, Interesting)

Anonymous Coward | more than 2 years ago | (#39386121)

I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

Re:WTH (5, Informative)

rtfa-troll (1340807) | more than 2 years ago | (#39387083)

I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

Very good question (mods; you should be reading at -1). Having looked about a bit it seems that he has been recommending this password software, for example he recommended 1password pro [tidbits.com] which has multiple problems; doesn't use the keychain; encourages use of a PIN for security and (to quote Elcomsoft):

Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password.

When you write articles on a topic you likely get advertising revenue from that, so it's possible he's also being attacked on his income. As they say, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" (N.B. I am not suggesting concious corruption or something).

In the end I guess I had better put it in an obXKCD which puts this better than I could [xkcd.com] .

Re:WTH (1)

eggboard (315140) | more than 2 years ago | (#39392859)

I'm never sure if Slashdot commenters read the original article or the blurb.

In the article, which I wrote, I explain the precise degree of risk, who is at risk, and how to mitigate.

* Recommending software: I did not write the article about 1Password Pro; Joe Kissell did.

* I do not receive a share of advertising revenue, nor is any my writing for any of many publications based on advertising revenue. I receive a fixed fee arranged in advance. Only the publication knows whether or not advertising was justified.

* Attacked on his income: Neither the publication TidBITS or me personally have any income issues associated with the sale of any security software.

This article was for normal folks, not security experts, and tried to explain in clear terms how to disable (for instance) any PIN-based access or switch away from a numbers-only passwords.

The criticism here seems both misplaced, conspiracy oriented, and not based on a reading of the article.

Re:WTH (1)

rtfa-troll (1340807) | more than 2 years ago | (#39394583)

Thanks for responding. First I'd like to apologise. I tried to make it clear that I don't think you are deliberately trying to mislead. I clearly failed. I'll say it again but more clearly. Nothing I could see in the article you wrote made me think you were acting in anything other than good faith. I think you should have written some things differently, but I do not see this as a deliberate attempt to mislead.

Now this is my understanding of the situation as it is now and why I think your publication should repudiate it's support for 1password:

The aim of a password safe is to increase security. There is a very simple and functional alternative to a password safe; to use the same password on all sites. In that case there is no problem whatsoever with remembering which site has what password (since they are all the same). However, there's a specific change of risk here.

  • - compromise of one password, e.g. from a network capture, does not compromise all sites
  • - it is easier to use more secure longer passwords which are harder to guess
  • + compromise of the password safe compromises all passwords, even higher security ones which were different
  • + compromise of the password safe gives a list of sites for the attacker to attack
  • + since the attacker can target only specific sites she is less likely to be discovered
  • + a remote compromise of the device can compromise all passwords once one is used rather than just the ones which are used during the time the device is compromised

So a password safe trades one threat; that the user's password for one site will be found from the password from another site; for a different threat; that the user's password safe will give away all of the user's passwords for all sites. When you think about this, it's actually trading a lesser potential damage for a greater one.

That trade off is only acceptable when the chance of the password safe compromise is considerably reduced. Good designs for this are clearly available in open texts. There are multiple elements; all of which were included in programs such as "Password Safe" which are inspiration for most of the modern software of this type. These elements include:

  • encouraging a strong / long password
  • using password strengthening
  • ensuring the use of secure memory

To these elements I would currently add that on a modern system they should probably have additional protection from facilities of the operating system such as fully encrypted disks on Linux or the keychain on iOS and OS X.

Many of the programs listed, including the one recommended by your website, fail to provide these basics. The full implications of this will depend on the user's threat environment and behaviour profile. However, I think it's pretty clear that for many, possibly even most of your readers, using a badly designed password safe will increase their risk over using none at all.

Put simply: the current recommendation on your web site, to use 1passwd, seems to increase your readers risks and does so with no justification since there are better alternatives available which do not do so. Elcomsoft has correctly pointed this out although they have not put it fully clearly. You should be telling your users to migrate from solutions previously suggested by your web site to more secure ones.

Finally, I'd like to address, a little, your point about having no interest here. Firstly your site has published a review suggesting the use of one of the insecure products. Whether you were involved or not, you or your editor should be clearly retracting that recommendation.

Secondly you do get advertising money from security products. I have found several encryption and password related products advertised on your site. I can completely believe that you didn't think of this. It's on the boundary between careless and acceptable depending on the way the site works. However, now it's been pointed out, you should probably clearly state this. There are lots of indirect ways that this kind of thing can influence you. Maybe you have friends in the business who complain about unfair reviews of security products from other sites etc. etc. All I'd ask for is that you write this at the bottom of such articles and/or as a general site policy document. Especially with a more detailed version of the explanation you gave about independence in the parent post it would really clear up the situation. I know this is not the industry standard in much of the computing press, but in serious newspapers it would be expected.

I think if you did add such an explanation this might help you pause to think and you would may see more of the threat in Elcomsoft's discoveries. In any case it would help the readers think for themselves. Remember bias is very often invisible to the person who holds it.

Finally, thanks for being directly addressable on this issue.

Re:WTH (1)

rtfa-troll (1340807) | more than 2 years ago | (#39394715)

Sorry; one part of your comment I didn't respond to with my other post [slashdot.org] . I read your original article (considered immoral around here; I took the "rtfa-troll" tag specifically so I could claim to be trolling if someone caught me doing this). You mentioned risk mitigation; I was not convinced by your arguments and they have mostly been answered elsewhere in the comments thread. I will point to some:

There is more risk if the cracker obtains access to your actual device, but that person must have significant forensic skills and software, and extracting the app data might take an inordinately long time

There are specific forensic devices which do this automatically and are available to the kinds of people who run organisations where stolen iPhones end up, not to mention large foreign competitors of the type of people who need and care about password safes and governments. These machines fully automate these attacks.

If you use iCloud for backups or have a strong, secret iTunes backup password, your device backups aren’t vulnerable.

Serious security concerns [sans.org] have been raised against iCloud by people with more security knowledge than myself. Also I am not aware of a serious outside audit with published results. I would not be prepared to accept this statement without much further research and access to Apple's design and implementation information.

If locked, the passcodes used by the iPad 2, third-generation iPad, and iPhone 4S are entirely secure unless the device was jailbroken before being locked.

In my experience, problems such as USB/Wireless etc. etc. exploits have always found ways to work around this security. Could you please give a bit more basis for this belief?

Simply put, good security should be made up of different layers where the failure of one layer will not lead to the others failing. I do not find the general security of iOS to be sufficiently convincing to consider running an insecure password manager on it a good idea.

Re:WTH (5, Funny)

binarylarry (1338699) | more than 2 years ago | (#39386125)

I think Mr Fleishmen is well aware. After all, he is a columnist for an Apple magazine and has a degree in art.

Elcomsoft has only cracked bluray, dvd, HDDVD and most other forms of commercially available encryption. They're practically noobs and probably don't even own in iPhone between them (LOLZ!).

Re:WTH (0)

beelsebob (529313) | more than 2 years ago | (#39386173)

Actually, no – encrypted data absolutely isn't safe in the hands of the enemy. Assuming that the enemy can identify what's an important message, they will eventually crack it (by brute force if necessary). That's the key to why your messages are secure on the internet – your enemies can't identify what's important and what's not.

Re:WTH (1)

chrb (1083577) | more than 2 years ago | (#39386249)

As far as we know, data encrypted with a random key and modern algorithms ought to be safe in the hands of the enemy. I say as far as we know, because the NSA does not reveal exactly what they can and can't crack. There is no practical way to brute force any of the modern algorithms: 256 bits is roughly equal to the number of atoms in the universe. [zdnet.com]

Re:WTH (1, Funny)

jhoegl (638955) | more than 2 years ago | (#39386521)

How can something be "roughly equal" to something else? o.O

Re:WTH (5, Informative)

philip.paradis (2580427) | more than 2 years ago | (#39386323)

You have demonstrated a profound level of ignorance of the most basic elements of cryptography. May I suggest spending some quality time with Applied Cryptography [schneier.com] , among other notable and readily available references in the field.

Re:WTH (1)

rtfa-troll (1340807) | more than 2 years ago | (#39387107)

The entire threat model for a password safe is that your phone gets stolen. Otherwise a plaintext list of passwords would pretty much do. If the enemy never gets the data then they can never do anything with it even if it isn't encrypted. Oh, and what the others said about bruteforcing.

Re:WTH (1)

noh8rz3 (2593935) | more than 2 years ago | (#39386319)

ftfs:

In other words, there really isn't much risk here.

... for certain cases of "here" where users utilize long passwords and hackers can't access the device. So we're good@

KeePass? (1)

hawguy (1600213) | more than 2 years ago | (#39386187)

This isn't one of the ones they tested, but does anyone know how safe KeePass [keepass.info] is?

I use this on my desktop and Droid, which is pretty convenient since I can share the database file between them.

Re:KeePass? (5, Insightful)

unrtst (777550) | more than 2 years ago | (#39386395)

KeePass [keepass.info] is also available for PocketPC, Winodws Phone 7, iPhone/iPad (multiple versions), Android, J2ME, BlackBerry, PalmOS, Linux, Max OS X, Windows 98 thought 7 + Wine + Mono, and there are libs that tie into several programming lanuages.

I read through the article, the linked PDF, and the PDF linked from the PDF to find out they didn't even test KeePass, which, AFAIK, is one of the most popular and widely available password managers out there.

I really hate it when someone claims to do a thorough test on something and states something like either "Of all the X we tested, none of them passed" or "Of all the X we tested, only one came close to passing". The former makes me think they should get off their high horse and write it themselves if it's so obvious. The latter that they're just trolling to push one product... especially when there are glaring holes in the tests.

Re:KeePass? (1)

sapphire wyvern (1153271) | more than 2 years ago | (#39390003)

Do you have any knowledge of which iOS implementations are better? I just got my first iOS device and I'm wondering which version of KeePass to install. It would be very bad news to pick one that isn't trustworthy.

Re:KeePass? (1)

BagOBones (574735) | more than 2 years ago | (#39391219)

MiniKeepass for iOS is good, doesn't have built in sync but supports passing the database between apps like dropbox.

Don't know if the implementation is good. It defaults to a pin / remember password option but you can dissable that.

There are several others however only look at the ones that have updated recently. Several are in the app store but are very out dated.

MiniKeePass is the cheapest one that supports the current 2.x file format.

Re:KeePass? (1)

sapphire wyvern (1153271) | more than 2 years ago | (#39392861)

Thanks for the advice. I'll look into it.

Re:KeePass? (0)

Anonymous Coward | more than 2 years ago | (#39386689)

Assuming that their key derivation scheme scheme is sound, Keypass is probably 6000 times better than any of the "AES bound" systems covered in the paper.

Here's the summary of their key derivation as it relates to dictionary attacks: http://keepass.info/help/base/security.html#secdictprotect
This shows that they've put some thought into the issues that Elcomsoft is criticizing in other password managers. I don't know enough to say that this is a legitimate use of AES, and part of me is disappointed that rolled their own system rather than using something like http://en.wikipedia.org/wiki/PBKDF2

Re:KeePass? (0)

Anonymous Coward | more than 2 years ago | (#39386879)

I can't speak to other managers, but KeePass on Android allows keyfiles to be used as well as passwords. Combine this with the CifsManager program (or do it manually if you're a masochist) to easily share a keyfile to your android phone - now you have easy access to your passwords while at home, yet no one can possibly (assuming you use a strong keyfile) get your passwords if you leave your phone somewhere.

Re:KeePass? (2)

Elrond, Duke of URL (2657) | more than 2 years ago | (#39387199)

I use KeePassX, a derivative of the original KeePassX. It is also open and under the GPL. I gather that the major difference between it and the original KeePass is that its cross-platform nature is not dependent on Mono/.Net. The downside is that it does not yet support the KeePass 2.x DB format, but since I'm not using that, I don't mind.

I use KeePassX [keepassx.org] on Debian, the Windows port under Win7, and KeePassDroid [keepassdroid.com] on my phone. It all works really well. My only complaint with KeePassDroid is that it doesn't support file attachments that one can attach to an entry in the database. It doesn't appear to destroy them, it just ignore them right now. Other than that, it's great.

Nested links (4, Informative)

Scutter (18425) | more than 2 years ago | (#39386235)

So, the summary links to a summary, which links to a PDF of another summary, which links to a PDF of the actual study. Did we forget how the web is supposed to work?

Re:Nested links (1)

Anonymous Coward | more than 2 years ago | (#39386261)

sure, page views and ads.

Re:Nested links (0)

Anonymous Coward | more than 2 years ago | (#39387451)

No, the Slashdot editors just forgot what their job title entails.

Latest mobile prices, features, reviews (-1)

Anonymous Coward | more than 2 years ago | (#39386649)

http://www.mobilepriceinfo.com

mobile price info is the best mobile price website providing mobile prices, mobile reviews, mobile models, mobile features, and lots more so check it out

Pretty sad though... (3, Insightful)

sshock (975534) | more than 2 years ago | (#39386747)

It is pretty sad though how many of the apps don't encrypt the user data at all, or it's encrypted but the master password is stored in plaintext or is encrypted with a hard-coded key. Then there's many of them using strong crypto algs but not properly (e.g., what is the point of using PBKDF2 but with only 3 iterations?)

Re:Pretty sad though... (-1)

Anonymous Coward | more than 2 years ago | (#39386775)

It sounds like someone here is an Obamailure, and it ain't me. Honk.

physical access (0)

Anonymous Coward | more than 2 years ago | (#39386761)

Physical access is 9 bajillion times easier when it comes to phones than it is with desktops. There is risk here. If you lose your phone, and someone can access the stores, then your'e effed.

Casted vs Thrown Illumination (4, Informative)

VortexCortex (1117377) | more than 2 years ago | (#39386843)

Shedding Light, Casting Light, or Bringing to Light -- but Throwing Light on something? Is this a thing? I mean, you can Throw a Switch, but Light?

That said, unless you're encrypting the datastore

However, the risk is quite low even without considering the issue of short (six or fewer characters, including letters, numbers, and punctuation) or solely numeric passwords. For starters, access to the app’s data store is required — either via an iTunes backup or an iOS device containing the app and its data — and any iOS security controls must be bypassed first. The flaws that Elcomsoft has identified cannot be exploited (as far as is currently known) over the Internet, which further limits exposure.

I wouldn't be too concerned if this were desktop PCs, but these are devices you carry around with you and may leave laying somewhere while you go to the bathroom, or have stolen. You shouldn't keep all your important passwords as plain-text in your wallet or purse... A weak password store is not much better than this.

There's a much higher chance of physical access to a portable device, especially one you carry with you everywhere in public, than there is to the desktop PC. This is why physical access is less of a concern for PCs than having it remotely exploited: You don't drag it around in public.

Physical access to the device means game over unless the data-store is strongly encrypted. Data Extraction Devices Exist [cnet.com] , and police have been using them without a warrant. To my knowledge these devices don't work on iPhones, yet, but anything in plain-text or enciphered weakly would still be a concern if physical access to the device is gained.

Having a password store with a weak password is a bit alarming. If you're going to have a central point of failure in your pocket, out on your desk, in your hand on a cab, then the security of that single point of failure is very important. I know an unscrupulous cab driver who gets $50 for handing your forgotten phones over to street thugs. They pay $75 if the device hasn't been locked. The thugs actually use Faraday cages to prevent remote wipes. The point is: They're already interested in your data. It's only a matter of time until they have tools to brute force your password stores, they may have them already. With a weak password that can be brute-forced in one or two days, this is an issue that would cause me concern. That is: I'd want a stronger password and a manager that requires re-auth after standby mode is entered -- Laymen, like my brother, actually think 4-6 character pass-code is adequate to protect their bank credentials.

IMHO, the fact that they allow such weak passwords for such an important single point of failure is a serious design flaw. If a weak password is used there should be some minimal end user education, perhaps via big splash screen saying: "Your Password is Very Weak -- Do Not Store Important Passwords in this Password Store"

Re:Casted vs Thrown Illumination (1)

jimicus (737525) | more than 2 years ago | (#39388013)

To my knowledge these devices don't work on iPhones, yet, but anything in plain-text or enciphered weakly would still be a concern if physical access to the device is gained.

Your knowledge is wrong. The manufacturer [cellebrite.com] has a list of supported phones, and every iOS device is on there. It even claims "iOS physical extraction, decoding & real-time decryption"; which suggests that either they've found a weakness, they have a backdoor in or they're making overblown claims and it simply tries a dictionary attack.

I have no idea how much they cost, whether the manufacturer has any qualms about selling them to whoever wants to buy or if they're sufficiently widespread that someone suitably unscrupulous could easily buy secondhand, borrow or steal one.

Re:Casted vs Thrown Illumination (1)

bsane (148894) | more than 2 years ago | (#39389077)

I have no idea how much they cost, whether the manufacturer has any qualms about selling them to whoever wants to buy or if they're sufficiently widespread that someone suitably unscrupulous could easily buy secondhand, borrow or steal one.

Like local law enforcement?

Re:Casted vs Thrown Illumination (0)

Anonymous Coward | more than 2 years ago | (#39525857)

There's another article about PIN extraction for most i* devices that basically jailbreak the device so they can access the whole filesystem -- and they only need the device for about 2 minutes.

other one (0)

Anonymous Coward | more than 2 years ago | (#39387321)

hmm this is interesting but i found more about this at www.scimat.com everyone should check it out

Google Docs file (0)

Anonymous Coward | more than 2 years ago | (#39387979)

All my silly passwords in a google docs file.

What do I care if someone gets into my pandora account?

Not for banking or anything related to money obviously.

Not Surprising (1)

aaaaaaargh! (1150173) | more than 2 years ago | (#39388149)

I'm the maker of a password manager for non-mobile platforms and can't think of any technical reasons why a mobile app would be less secure, as long as you don't intentionally sacrifice security for performance. However, from my own surveys of my "competitors" on Linux, Windows, and OS X I can assure you that not half of the programs out there can keep the promises it makes.

One thing you might check out to evaluate such apps is whether the encryption method is made public and whether the author explains exactly which hashing and salting methods he uses. Of course, if you want to make sure you need the source code but it's a good rule of thumb. Just writing AES means nothing, it could be AES in ECB mode with weak password hashing and no salting. But to be honest, I've even seen apps that store the passwords XOR encoded in the prefs file, no kidding.

No surprise (1)

gweihir (88907) | more than 2 years ago | (#39388661)

In fact, I find that the more bold the security claims, the worse the actual security. Have seen this several times now. Be especially wary if somebody claims "Security is our highest priority". It means in fact: "Our security is so bad, that fixing it should be our highest priority, but it is not. We asked the PR people to fix this instead."

Most people implementing software today have no clue about security and that includes people writing security products. It is really pathetic. I think the reason is people wanting to keep their jobs ("yes, we can do that") and management that has no clue at all that writing secure software is a specialty that needs 5-10 years of experience in addition to specific training and talent before you can build anything that begins to be secure.

One problem I see... (1)

rthille (8526) | more than 2 years ago | (#39389365)

One problem I see with phone-based password managers without hardware assisted crypto is the huge difference between the CPU power on the phone and even a $3000 dedicated cracking box. One thing the PDF quantifies is the amount of CPU/GPU time it'll take to generate a key for test decryption. 1-Password (the tool I've got, but haven't started using yet due to paranoia :-) uses just a single round of MD5 to generate the key, so key generation is fast. So fast that the GPU rig can test all the passwords possible in a 12.2 character (95 possible chars) password in just a day. So, for a decently safe password, you need at least 13 chars, and that'll buy you 3 months of data protection. And, you'll have to type that on your phone every time you want to use the password manager.

It seems that password managers should use a lot more CPU in the generation of the key from the password, even to the point where the delay on the phone approaches one second after the password is typed. One of the password managers ("the best") uses 4000 rounds of PBKDF2-SHA1 and so even with the GPU the cracking system can only check 10.1 characters worth of passwords in a day. So, a 12 character password will give you ~9000 days of data protection (assuming I'm doing the math correctly :-).

Mobile Password Security is a Generic Problem (2)

jasnw (1913892) | more than 2 years ago | (#39391561)

I purchased an iPad just after the 2 came out - I'm still wondering if that was a mistake. One of the main issues I am always wrestling with is how passwords for website access are handled, or not handled is more like. Safari doesn't have a protected username/password store capability (unless you consider AutoFill to be a nice secure way to store this info on a mobile device), and the third-party stuff like 1Password can't talk to Safari because of sandbox restrictions with iOS. Why is it that strong credentials security for accessing web-based information isn't a major component of mobile OS's? For me, it's now the main reason I don't get an iPhone and will likely turn my iPad into an expensive gaming pad for my grandson. (Yeah, I'm old - bring back Big Iron.)
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?