Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."

Re:WTH

[philip.paradis]

You have demonstrated a profound level of ignorance of the most basic elements of cryptography. May I suggest spending some quality time with Applied Cryptography, among other notable and readily available references in the field.

Re:WTH

[rtfa-troll]

I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

Very good question (mods; you should be reading at -1). Having looked about a bit it seems that he has been recommending this password software, for example he recommended 1password pro which has multiple problems; doesn't use the keychain; encourages use of a PIN for security and (to quote Elcomsoft):

Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password.

When you write articles on a topic you likely get advertising revenue from that, so it's possible he's also being attacked on his income. As they say, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" (N.B. I am not suggesting concious corruption or something).

In the end I guess I had better put it in an obXKCD which puts this better than I could.