This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

iMobileSitter: Trick or treat?

luke1970
luke1970 Junior Member
Morning,



I found the password storage program with name [b]iMobileSitter[/b] here: [url="http://www.imobilesitter.com/"]http://www.imobilesitter.com/[/url]

It's from Frauenhofer institut and this program has a very interesting way to security the passwords against theft.

You can read it on this site [url="http://www.imobilesitter.com/security_en.php"]http://www.imobilesitter.com/security_en.php[/url] chapter "The trick: iMobileSitter"



Is this feature aught for 1Password mobile apps?



Greetings, Bernd

Comments

  • khad
    khad Social Choreographer
    Thanks for asking about this, Bernd. I've seen this link going around lately, so I am happy to be able to address it here.



    We do a great deal to protect against password crackers. The standard approach involves both "key spreading" and "key strengthening". The first makes sure that we use every bit of the 128-bit AES encryption key, and the second is to slow down brute force attacks on the master password. You can read more about our use of PBKDF2 here:



    http://blog.agilebits.com/2011/05/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/



    Ultimately we need to encourage people to develop strong, memorable, master passwords. You can read about that here:



    http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/



    The proposal you referred to — the idea of not indicating success or failure of decryption — is nothing new. Indeed, until the second half of the 20th century that is how all cryptographic systems worked. For example, the final test at the Bletchley Park code breaking operation was whether the decoded Enigma messages "looked like German".



    Such a system only has a hope of working if the data to be decrypted is truly random. Keep in mind that 1Password isn't just keeping your passwords encrypted, but also notes, usernames and other data that can easily be analyzed to see if decryption was successful.



    Modern cryptographers have pretty much concluded that the difficulties in making sure that successfully decrypted material is statistically indistinguishable from unsuccessfully decrypted material is far far more error prone than getting the data integrity reliability that comes with indicating success or failure.



    We are always looking at way to improve your security with 1Password, but in this case, I really don't see us going down that road.



    Please let me know if there is anything else I can help with!