Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."

Re:KeePass?

[unrtst]

KeePass is also available for PocketPC, Winodws Phone 7, iPhone/iPad (multiple versions), Android, J2ME, BlackBerry, PalmOS, Linux, Max OS X, Windows 98 thought 7 + Wine + Mono, and there are libs that tie into several programming lanuages.

I read through the article, the linked PDF, and the PDF linked from the PDF to find out they didn't even test KeePass, which, AFAIK, is one of the most popular and widely available password managers out there.

I really hate it when someone claims to do a thorough test on something and states something like either "Of all the X we tested, none of them passed" or "Of all the X we tested, only one came close to passing". The former makes me think they should get off their high horse and write it themselves if it's so obvious. The latter that they're just trolling to push one product... especially when there are glaring holes in the tests.

Pretty sad though...

[sshock]

It is pretty sad though how many of the apps don't encrypt the user data at all, or it's encrypted but the master password is stored in plaintext or is encrypted with a hard-coded key. Then there's many of them using strong crypto algs but not properly (e.g., what is the point of using PBKDF2 but with only 3 iterations?)