I am a big advocate of using a password manager application. I ran into problems when I was without my laptop and had to search for a decent, compatible, mobile app. I have since settled on not only “pwSafe” for mobile, but also “pwSafeMac” by the same developer for Mac OS X…and I really like them! assword best practices. I have unique passwords for each site, and I use complex passwords. Remembering the usernames and passwords for each one is daunting, which is why I use the password manager. Until recently, I have only used Password Safe, an old but good cross-platform, and open source password manager.
Before we get too far… What is a mobile password manager? A mobile password manager has all the design challenges of a password manager on the desktop, as well as some mobile platform specific considerations to ensure that security is not compromised simply by way of the transition to a mobile platform. Below, take a look at a few important qualities to remember while looking for a mobile password manager app:
Secure Resource Usage It is important that a password manager use resources securely, such as:
- locking memory to ensure it cannot be swapped or paged
- wiping memory after it is used to ensure the plaintext password is not left in memory after de-allocation
pwSafe builds on Password Safe’s implementation and ensures that the techniques and methods used have been well tested and vetted by many members of the security community. For example, the pwSafe app responds to iOS warnings about memory conditions and termination. Proven Encryption Another crucial part of a password manager is the encryption that is used to protect the passwords at rest. This includes the algorithm, key sizes, and modes used during encryption and decryption. Again, being based upon Password Safe’s near decade of design, implementation, testing, and widespread usage, pwSafe is well covered in this regard. Timeout A secure password manager closes the encrypted file and wipes clean traces of the plaintext that it may have in memory, after the application hasn’t been in use for a time. pwSafe defaults to a five minute timeout that can be overridden when entering the master password for the encrypted password safe. Using timers, it ensures that the app cleans up even when in the background. Screen blanking In iOS, screen transition effects use a screen shot of the application to apply effects, such as:
- Switching between applications
- Bringing up the multitasking bar
- Returning to the home screen
Such screen shots reside on the system and a malicious user with physical access or a running piece of malware may gain access to any confidential information that may reside in such screenshots- a major concern for a password management app! pwSafe implements applicationWillResignActive so that all information on the screen is masked before any screen shots or transitions occur. Clipboard Cleaning An important feature for all password manager apps is that the clipboard should be cleared in order to prevent the password from being leaked by actions such as:
- Accidental pasting by the user
- Another app examining the clipboard
- Finding the password in memory
When developing a mobile app, the developer must consider that the app may be switched out at any time, including for high priority tasks such as phone calls. pwSafe implements timers to ensure that the clipboard is cleared regardless of whether or not the app is active. Last, but not least, is verifiable design. An app, such as a password manager, handles a my most valuable keys that protect both my digital and tangible assets. Accepting such an app’s claim of being “secure” is just something that most members of the security community are not prepared to do, myself included.Verifiable Design In this case, the pwSafe app is open source and allows users to inspect the methods, algorithms, and resource usage before trusting it to guard their most precious secrets.
References: http://www.techrepublic.com/blog/security/five-features-of-a-good-password-manager/3224 http://passwordsafe.sourceforge.net/relatedprojects.shtml http://app77.com/pwSafe/ http://developer.apple.com/library/ios/#documentation/UIKit/Reference/UIApplicationDelegate_Protocol/Reference/Reference.html#//apple_ref/occ/intfm/UIApplicationDelegate/applicationWillResignActive: http://stackoverflow.com/questions/7520076/how-not-to-allow-the-ios-from-taking-a-screen-capture-of-your-app-before-going-i