Quote:
Originally Posted by Teknikal
Put me down as an msecure user I like how I can update my passwords on any device and it syncs to the rest of them using dropbox also lets you do things like send encrypted backups to gmail etc.
Expensive yes but I'm not taking chances with a small developer I can't be sure is truely trustworthy when it comes to passwords.
|
If you want trustworthiness,
PasswordSafe is your best option. Originally written by an expert in the field of Cryptography. Also open source so others in the field can examine and verify whether anything has been overlooked.
A lot of mobile apps* of a closed source nature were
recently found to either be doing no encryption, trivially bypassed encryption (simple xor or storing the master key with the data encrypted with a known/static password) or using appropriate encryption (AES etc) but applying it in flawed ways i.e without password strengthening.
With a closed source app, there's no way to know if that's the case unless someone attempts to reverse engineer it or otherwise puts in a lot of effort. With cryptography, trusting the developer alone is not sufficient. Even a knowledgable developer can overlook an issue that becomes a critical flaw in the safety of the application. Others in the field need to have the opportunity to look over their implementation to offer some degree of validation.
As an example, consider how SplashID present themselves and their password safe app. They're apparently a trust worthy developer, they've made numerous apps their customers have happily used for years. Now read how flawed their implementation is in the above linked pdf and consider that had that been an open source app, the flaws would likely have been found and people could recommend against using, or patch/fixed the issue if possible. With closed source, people have been using that software for years unaware of the flaws and they only came to light through a concerted effort to analyse various closed source apps.
Maybe SplashID have since fixed that issue, maybe they haven't. As a closed source app there's no way to verify. Even re-running the reverse engineering test wouldn't help, they may have just adjusted how/where they store it in an equally flawed way that "appears" to fix the issue. You'd have to expend a great deal of time analysing the app again. That change however would be much more apparent as a flawed fix in an open source app.
* Now all that said, it sounds like msecure isn't too bad. However, I would still recommend using an pass safe that not only comes from a developer with experience in cryptography but in addition is open source so that any short-comings can be highlighted quickly.
PasswordSafe is one of the few that meets that on the desktop and minikeepass is the closest I could find for iOS, mainly because it's based on keepass and both are open source (keepass is also highly regarded).
Don't take the above the wrong way, I'm not saying everyone should always use open source software. Far from it. But when it comes to security critical software like password safes or SSL encryption, open source is by far the best option. Allowing professionals and academics a chance to really scrutinise everything it's doing.
and finally, usually you get what you pay for, but in the case of security, it's a rare instance where you can get the most assurance of security by using the cheapest (eg free) product (just be careful not to arbitrarily pick a free product as there's just as many poor open source safes as there are closed source. Only difference is, with open source we have a chance of knowing it
).
PS: Didn't mean the above to sound preachy, that's not my intention. Just trying to make clear some issues. Whether anyone takes note or not is irrelevant as long as people are going into it with their eyes open.