Jeffrey Rogers
Downloads: 0
Posts: 1
Smile Score: +2
About Me
I am a Free member


Visit Stats
Last Visit: 2 years ago
Member Since: 25 Mar 2011
Profile Views: 213

Jeffrey Rogers's Posts
Average Rating from Jeffrey:
(1)

sort: smiles | time
burypromote
+2

drskorzy reviewed on 09 Apr 2012
I've been a SplashID user for several years now. I've got the iOS SplashID version as well as SplashID Safe on my desktop computer.

I also listen to a podcast concerning internet and computer security called "Security Now" by GRC.com: Steve Gibson and Leo Laporte. The current podcast (#347) outlines the security of the iOS version of SplashID.

Transcript: http://www.grc.com/sn/sn-347.htm

Under their analysis, it was revealed that SplashID's user's master password are encrypted under Blowfish using a FIXED key. That fixed key being "g.;59?^/0n1X*{OQIRwy."

Therefore, every user, regardless of their master password, has that master password encrypted using this one fixed key. This fixed key (now public) can easily be used to decode the user's master password, thus access the encrypted data. This makes SplashID's security worthless under its current incarnation. I'm frankly outraged.

There's no reason why SplashID shouldn't be generating a random, device-specific key. Other password managers do this!

I like SplashID. I like the way it looks and functions. I've got hundreds of passwords and personal financial information stored in it. My jaw dropped when I listened to Security Now's podcast.

Until SplashData fixes this blatant security hole, I will no longer be using your software. I am dumbfounded how a really obvious security flaw like this was overlooked!
[Version 6.0.4]



There are currently no troubleshooting comments by this member.

Displaying 1-1 of 1
Please login or create a new
MacUpdate Member account
to use this feature


- -