Slashdot Mirror

← Back to Stories (view on slashdot.org)

Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

Posted by timothy on from the security-is-a-four-letter-word dept.

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."

4 of 48 comments (clear)

  1. Re:WTH by binarylarry · · Score: 5, Funny

    I think Mr Fleishmen is well aware. After all, he is a columnist for an Apple magazine and has a degree in art.

    Elcomsoft has only cracked bluray, dvd, HDDVD and most other forms of commercially available encryption. They're practically noobs and probably don't even own in iPhone between them (LOLZ!).

    --
    Mod me down, my New Earth Global Warmingist friends!
  2. Re:WTH by philip.paradis · · Score: 5, Informative

    You have demonstrated a profound level of ignorance of the most basic elements of cryptography. May I suggest spending some quality time with Applied Cryptography, among other notable and readily available references in the field.

    --
    Write failed: Broken pipe
  3. Re:KeePass? by unrtst · · Score: 5, Insightful

    KeePass is also available for PocketPC, Winodws Phone 7, iPhone/iPad (multiple versions), Android, J2ME, BlackBerry, PalmOS, Linux, Max OS X, Windows 98 thought 7 + Wine + Mono, and there are libs that tie into several programming lanuages.

    I read through the article, the linked PDF, and the PDF linked from the PDF to find out they didn't even test KeePass, which, AFAIK, is one of the most popular and widely available password managers out there.

    I really hate it when someone claims to do a thorough test on something and states something like either "Of all the X we tested, none of them passed" or "Of all the X we tested, only one came close to passing". The former makes me think they should get off their high horse and write it themselves if it's so obvious. The latter that they're just trolling to push one product... especially when there are glaring holes in the tests.

  4. Re:WTH by rtfa-troll · · Score: 5, Informative

    I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

    Very good question (mods; you should be reading at -1). Having looked about a bit it seems that he has been recommending this password software, for example he recommended 1password pro which has multiple problems; doesn't use the keychain; encourages use of a PIN for security and (to quote Elcomsoft):

    Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password.

    When you write articles on a topic you likely get advertising revenue from that, so it's possible he's also being attacked on his income. As they say, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" (N.B. I am not suggesting concious corruption or something).

    In the end I guess I had better put it in an obXKCD which puts this better than I could.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();