Password Roulette: Betting on Password Storage Apps
As the smartphone and tablet become our de facto end-points, app builders need to step up the security of their offerings.
Call Ondrej Krehel the poster boy for the password problem that is confronting all of us. Password protection on corporate servers is proving to be dangerously porous -- think Sony, Citigroup, even RSA Security -- and that ups the pressure on every user to use a unique password with each website and Web service.
That is why Krehel, chief security officer at Identity Theft 911, a cyber security outfit, said "Of course I use a password storage app. I have over 300 passwords, most randomly generated. There is no way I could remember them all."
One problem however: app solutions to password storage just may multiply our risks and our problems. Details shortly.
First, feast on the core issue: our memories cannot expand to accommodate the many dozens, if not hundreds, of passwords we now are required to have. Pity the poor user who invokes the same password over and over (sadly, it often is "password" or "123456") said the security wonks because just one breach just may undo his whole cyber existence.
That is why increasing numbers of organizations are requiring users to create strong and varied passwords. Enter the multiplying number of password storage apps for mobile deployment as the smartphone becomes a wallet.
The term "password storage" turns up 39 apps in the Apple Apps Store, for instance. Hundreds pop up in the Android Marketplace.
Which brings us back to a frightening problem. You cannot count on all of these apps to work.
"A lot of the mobile apps and their underlying security simply is untested," said Ken Parmelee, director of applications for Antenna Software. "App's developers don't necessarily have any security expertise and this is causing all kinds of problems."
Parmelee cited a case in point: some password storage apps apparently cache their data in plain text while they are working. That opens up the possibility of a cyber crook highjacking the plain text data. "Some apps are not well thought out," said Parmelee.
Apps developers, for their part, smell money. Interest in mobile password storage apps is high, they report, and sales -- at the $.99 to $2.99 range for most mobile apps -- are proving brisk. The temptation to create a quick and dirty password app is plain. But the consequences for users could be devastating.
This is why Tim Armstrong, malware researcher at Kaspersky Lab, said that before allowing any password storage app into the enterprise (or, really, onto any careful user's mobile device) it first needs to be thoroughly evaluated from a security standpoint.
"When evaluating a mobile password application, there are several things to consider before choosing one. First, the application is only as secure as the access to the device itself, so you should have a screen lock on it at all times, otherwise a lost device is much more at risk if it falls into the hands of a cyber criminal, said Armstrong.
"The quality of software must be extremely secure to avoid data leakage, or insecure database practices. Users must be extra careful in choosing an application and make sure it's from a valid and reputable vendor."
More cautionary advice came from Krehel who advised, with GSM phones, to password protect the SIM card, as well as the phone. Considerable data may be stored on the SIM - phonebooks, for instance - and this info is available just by popping the SIM into a receptive phone.
Krehel also suggested encrypting all data on the mobile device. Password protect the device, he said, but then go a step beyond by encrypting all data too. "That increases your security substantially."
But just because you have taken all the steps -- installed a vetted password storage app, password protected the phone itself as well as the app; and encrypted data on the phone and also the SIM card -- do not assume all is well.
"It really isn't very hard to break into most of those storage apps," said Bill Mathews, a co-founder of Hurricane Labs, a Cleveland-based information security firm. He claimed that many password storage apps are built around "a simple database" and if he wanted to crack into one, he would copy the database off the phone and onto a bigger CPU, then have at it using an array of tools designed to smash such defenses. Nice.
Mathews' advice: "If you really want real security, you've got to use two factor authentication. Static passwords need to die. Only then will we see genuine security."
As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications―from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.