Anyone here using a password manager for iOS? What do you like?

[cmeisenzahl]

Getting to the point that passwords are barely manageable. Thinking about using a password manager. But I work daily on Mac OS, iOS, and Windows.

What tools do you like/recommend?

Thanks in advance,
Chris

[Troneas]

http://forums.macrumors.com/showthread.php?t=1470844

[vastoholic]

Quote:

Originally Posted by cmeisenzahl

Getting to the point that passwords are barely manageable. Thinking about using a password manager. But I work daily on Mac OS, iOS, and Windows.

What tools do you like/recommend?

Thanks in advance,
Chris

I've got mSecure. It's pretty decent for my needs. My main problem is I keep forgetting to update it after my passwords expire and I change them. It has a desktop companion that syncs with the mobile version as well.

[HiddenPuppy]

I like SplashId since it has a desktop version and I can sync with that. I have used it since the first PDA and upgraded with each phone.

[cmeisenzahl]

Excellent. Thanks, all!

[cambookpro]

1Password for me.

[shenfrey]

I use 1password, though it syncs beautifully via icloud on iOS, it doesn't sync with icloud via the mac, but for a phone password management app you can't go wrong with 1password.

[Bob Coxner]

LastPass for me. Works well in Windows, iOS and OS X and syncs among all 3. It's free and gets great reviews.

https://lastpass.com/

[Agent-P]

Currently I use 1Password for IOS, OSX, and Windows. Overall I like it, but I'm considering switching to LastPass to see how I like it because it has a better Windows client.

[ManicMarc]

I use LastPass, works great, especially the Safari bookmarklets.

[rever3nce]

Quote:

Originally Posted by shenfrey

I use 1password, though it syncs beautifully via icloud on iOS, it doesn't sync with icloud via the mac, but for a phone password management app you can't go wrong with 1password.

You can sync it with Dropbox . It works wonders for me! I have a lot of passwords and now I can have a more secure password by generating ine with 1password and just copy it from the app

[wrosie]

I use Keeper.

[bobr1952]

I don't mind saying this in the latest thread on this subject--I really love 1Password and have been using it since I bought my first iMac in 2008. I use it on my Macs and iPhone--great way to manage passwords across multiple devices. The new version for Mac they are working on will allow sync through iCloud. And please don't get on them too hard about needing to buy the latest version in the app store when it comes out, Apple only allows iCloud sync for apps that are sold in their app stores.

[mdlooker]

I use keeper.. Not sure if it's free anymore but it was when I got it.

[SandboxGeneral]

Quote:

Originally Posted by cmeisenzahl

Getting to the point that passwords are barely manageable. Thinking about using a password manager. But I work daily on Mac OS, iOS, and Windows.

What tools do you like/recommend?

Thanks in advance,
Chris

I use LastPass on iOS, OS X and Windows.

[ManicMarc]

If anyone is interested, this Security Now podcast has an in-depth review of many if these suggestions and looks into their security (and lack of in some cases) well worth a listen before you go putting your important passwords into one of these things,

http://www.grc.com/sn/sn-347.htm

[DarrenUK]

1password here also.

[sharpycl]

What are the benefits of using these versus a spreadsheet to log all of your passwords?

I'm thinking of trying one of these programs myself.

[vastoholic]

For those of you who didn't want to read the whole transcript looking for the password manager reviews, here's the few that I saw mentioned in this thread.

"Brain Challenged":

Quote:

Also under brain challenged is, for $9.99, something you pay $10 for and think, oh, well, if it's 10 bucks it must be better, this one is called SplashID Safe, SplashID Safe for iPhone. Now, this uses Blowfish rather than AES. And it's one of several, only a few, that do use Blowfish. Blowfish is interesting. It was designed by our friend Bruce Schneier back in 1993. So it's been around a long time, and it has withstood all attack.

The problem with Blowfish is that it uses, because it's so old, it uses a smaller block size. It's a 64-bit symmetric cipher, meaning you put in 64 bits at a time and get out a different 64 bits. That's significant because there aren't - there are, what, we know that there are four billion combinations of 32 bits. That means there's 16 billion billion combinations of 64. Once upon a time, back in '93 when Bruce did that, that was enough. But that was - that's a long time ago in terms of computing power explosion. So 64-bit block ciphers are really no longer considered secure enough for industrial work.

But what is significant about this is that it uses a highly complex key setup, which is to say, remember the way these ciphers work is there's something called a "key schedule" is the technical term, the idea being you take the key, and you do a bunch of stuff to it to create some raw data based on the key, which is then used, for example, by successive rounds of the key. This is the way AES, for example, works, where it's like an 11-round process for, I think it's AES-128 uses 11 rounds. Each of those 11 rounds uses different data from the key setup.

Well, normally a cipher wants a fast key setup, that is, it doesn't want much overhead associated with getting going. Blowfish has a particularly onerous key setup that involves preprocessing of a block of about 4K. So it's very slow to set up the key. But that's a good thing when you're wanting to prevent guessing because any brute forcing is by its nature requiring you to try this key, which means you've got to go through all this, in this case with Blowfish, a lot of work to get this thing set up.

So all of this sounds really good. In fact, I should mention that OpenBSD uses for some of its security Blowfish on purpose because it's so complex. It's just burdensome to guess what the key is. So all of this good stuff was used by SplashID Safe for iPhone for $10. After they did all this, the master password is encrypted under Blowfish - you're giggling, Leo.


Leo: I can just tell something bad's coming.

Steve: Something bad's coming. Master password is encrypted under Blowfish using a fixed key. Which is - I'll spare everyone saying upper and lower case. So it's "g.;59?^/0n1X*{OQIRwy." Now, clearly someone went to some serious trouble coming up with that.

Leo: Nice random password. But it's the same.

Steve: And it's always the same.

Leo: On every - I can't believe it.

Steve: It's built - I know, I know. It's built into the software. That's the magic key. So when someone sees that you're using SplashID Safe, for which you paid $10, and they have access to your raw data, they go, oh. And they simply use Blowfish to decrypt the stored encrypted key using that secret magic phrase. Then that gives them your actual Blowfish key, which allows them to decrypt all your data. So it doesn't matter how long it takes Blowfish to get going and set up its key schedule because they only have to do it once because they can decrypt your key using the secret passphrase built into the application. Not so good

Quote:

Now, stepping up a little bit, we come to the "brain challenged" two. There's something called Keeper Password and Data Vault. Now, this one uses encryption, AES-128. Most of the things we'll talk about from here on out use encryption, and most of them use AES-128, sometimes 256. We know that 128 is just fine for today. It encrypts in CBC mode, Cipher Block Chaining, which is one of the standard modes for using AES encryption, so that's good. The encryption key uses the first 16 bytes, which is 128 bits, of the SHA-1 hash of the master password. So that's pretty good. You put in any length password you want. It hashes that to 128. It does it as an SHA-1. Then it uses the first 128 bits of that as the key for the AES encryption.

But the master password is verified by comparing an MD5 hash of what you enter with the MD5 hash of the password when you set it. So when you're setting this up, it says give us your master password, and you enter it. And it says, oh, verify that. And so you put it in a second time. And it's like, oh, very good. You put it in twice correctly, so we believe you're going to be able to do it in the future. It then makes an MD5 hash of that, and that's what it stores. So the crypto is good, but it stored an MD5 hash, without any salt, of your password. Which means any rainbow table with MD5, which is one of the older hashes that has been rainbowed to death, can be used to look up your password. So not so good.

All they had to do was salt it, just add some salt to the hash, and then rainbow tables wouldn't be - precomputed rainbow tables couldn't be used. But they didn't do that. So you just - so anyone who has access to the raw data would take the MD5 hash of your password, look it up in an online rainbow table, which would give them the password. And then they put that in, which it then SHA-1 hashes to get the decryption key, and they can decrypt your data. So it's better than nothing. But they could have easily made it a little stronger. And, I mean, any listener to this podcast knows 25 ways that these things could be made stronger. But the authors of these programs apparently don't or didn't care.

"Useful" protectors:

Quote:

mSecure Password Manager, for $10, uses Blowfish encryption. The encryption key is an SHA-256 hash of the master password, so that's pretty strong. They do password verification by performing a trial decryption of a known verification value for comparison. So when you enter your password, they hash it and then perform a trial decryption of something whose decrypted value they know. And if it matches, then it's safe. So that means, okay, you could perform an offline attack. Password recovery would require one SHA-256 process and a Blowfish key setup. And that's significant because that's very slow. So I think mSecure looks like they did a good job.

Quote:

And finally LastPass - which is as we know $1 per month for the premium, Last Pass Premium, but they use the same technology even for their free, uses AES-256 encryption, so nice strong key. They use an SHA-256 hash of the username plus the password. So that's got the advantage of probably being longer than if you were just using the password. Essentially the username becomes the salt when you're entering the password every time, after you've set it up. And they verify by decrypting the 256-hash of the encryption key. So password recovery for LastPass requires two SHA-256 hashes and an AES-256 decryption. So that's also pretty strong.

Quote:

Steve: Yes, the numeral 1Password.

Steve: And they're good people. I did look at it. I looked at several of their blog entries. This report from ElcomSoft was a little harsh about them.

Leo: They're probably the No. 1 iOS password manager.

Steve: Well, yes. And they are absolutely strong. They're as strong as any of the good ones.

Steve: And from looking at the blog postings, they're going to make it stronger. They weren't, as I recall, they weren't doing any password strengthening, though all of their crypto was absolutely good and solid. I can probably - I didn't have it in my notes, but I think I've got the - I've got it right here in front of me, the ElcomSoft deal, what they said about 1Password. Yeah.
1Password Pro, it is $14.99. And it actually uses a bunch of MD5 hashes with salt, so rainbow tables cannot be applied. And it uses AES-128 encryption to generate database keys and strong validation. And I do know from reading their blogs that, if they haven't already, they're just in the process of adding some good strengthening to bring it up to speed. But I was impressed by everything that I saw on their website. So I think 1Password Pro is - and it looks like it's the priciest one of the ones we've seen. But they've done a good job. So I would absolutely trust them. There is no backdoor, no shortcut into passwords stored with them.

[old-wiz]

I use 1Password on OSx and IOS. It works great on OSx, but more difficult on IOS since you can't have an add-on for safari or chrome. I keep passwords and CC info and have a strong password. Part of the problem on IOS is entering a strong password - I'm not that used to the little keypad