Disagreement on Password Vault Software Findings

Thursday, April 12, 2012

Brent Huston


Recently, some researchers have been working on comparing password vault software products and have justifiably found some issues.

However, many of the vendors are quickly moving to remediate the identified issues, many of which were simply improper use of proprietary cryptography schemes.

I agree that proprietary crypto is a bad thing, but I find fault with articles such as this one where the researchers suggest that using the built in iOS functions are safer than using a password vault tool.

Regardless of OS, platform or device, I fail to see how depending on simple OS embedded tools versus OS embedded tools, plus the additional layers of whatever mechanisms a password vault adds, reduces risk to the user.

It would seem that the additional layers of control (regardless of their specific vulnerability to nuanced attacks against each control surface), would still add overall security for the user and complexity for the attacker to manage in a compromise.  

I would love to see a model on this scenario where the additional controls reduce the overall security of the data.

I could be wrong (it happens), but in the models I have run, they all point to the idea that even a flawed password vault wrapped in the OS controls are stronger and safer than the bare OS controls alone.  

In the meantime, while the vendors work on patching their password vaults and embracing common crypto mechanisms, I’ll continue to use my password vault as is, wrapped in the additional layers of OS controls and added detection mechanisms my systems enjoy.

I would suggest you and your organization’s users continue to do the same.

Cross-posted from State of Security

Possibly Related Articles:
Network Access Control
Information Security
Encryption Passwords Authentication Access Control Research Controls Cryptography Login Password Management vendors
Post Rating I Like this!
Daives bursten All my passwords are at one place and very well organized now. thanks to SplashID
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.