 |
ElcomSoft Co. Ltd. analyzed 17 popular password management apps available for Apple iOS and BlackBerry platforms, including free and commercially available tools, and discovered that no single password keeper app provides a claimed level of protection. None of the password keepers except one are utilizing iOS or BlackBerry existing security model, relying on their own implementation of data encryption. ElcomSoft research shows that those implementations fail to provide an adequate level of protection, allowing an attacker to recover encrypted information in less than a day if user-selectable Master Password is 10 to 14 digits long.
Finally, 7 out of 17 products store users' passwords unencrypted or encrypted so poorly that they can be recovered instantly. "Using the right encryption algorithm is not enough", says Andrey Belenko, ElcomSoft Chief Security Researcher. "It only takes one weak link to ruin the entire security model. Some of the tools would have a better chance to pass our security test if they were about 10,000 to 20,000 times more secure in terms of password recovery speed. Some other tools are completely hopeless and should be avoided at all costs."
"Our research proved once again that IT security requires more than just programming skills", comments Dmitry Sklyarov, ElcomSoft IT Security Analyst. "With open-source strong-crypto libraries everyone and their dog can write a password keeper, claiming their product offering secure protection — which is not really the case. A good security model takes the whole system into account including the user himself — and not just the strength of the encryption algorithm alone".
|
|
