Samarama: iOS, macOS software developer

Why should I use a password manager?

Some articles on password managers:

Before You Use a Password Manager – June 2019
Am I An Idiot for Still Using a Password Manager? – Gizmodo – June 2015
Should You Use a Password Manager? – Tom's Guide – June 2014
Why You Should Use a Password Manager and How to Get Started – How To Geek – March 2013

Dangers of auto-fill in web browsers

SamuraiSafe doesn't use autofill of web pages with the web browser – but many password managers do – and there are risks in doing so:

Web trackers exploit browser login managers – Princeton Centre for IT Policy – December 2017
Potent LastPass exploit underscores the dark side of password managers – Ars Technica – March 2017
How I made LastPass give me all your passwords – Detectify Labs – July 2016

Security and Privacy often incur a tradeoff with convenience. Solutions are often complex and may not be correct or complete. My view is keep things simple. See also Password Managers: Attacks and Defences below.

The SamuraiSafe Design Philosophy is minimalist – simple and secure, with your private data fully under your control.

SamuraiSafe News

Password History and Safe Format Upgrades (iOS and macOS)

May 2018

SamuraiSafe now supports password history (retaining previously saved passwords). In order to use the Password History feature, each password safe requires a file format upgrade. It is important not to enable this option until all your devices on which you use SamuraiSafe are updated. See Support for details on migration.

SamuraiSafe for macOS CSV Migration tool

November 2016

If you wish to migrate to SamuraiSafe and your old data is in CSV format (or in an Excel file), a new tool may assist.
See Support for more details.

Password Security News

Should you be concerned about a password manager that uploads passwords to its server?

March 2019

An attack on an an internal server API used by a popular password manager.

Recovering the Master Password from a Locked Password Manager

February 2019

By analysing password managers in running states, ISE found a fatal flaw in an otherwise great password manager.

Diceware passwords now need six random words to thwart hackers

February 2017

Diceware is an effective way of generating strong passwords by rolling dice. Ars notes the creator now recommends using six words where five were previously recommended. The SamuraiSafe passphrase feature introduced in V1.3.13 is modelled on Diceware but uses a larger word list (~21,000 vs 7,776 for Diceware). The random number generator used in SamuraiSafe is cryptographically strong - but nothing beats truly random source of data.

Why you still can’t trust password strength meters

August 2016

Naked Security explains why you can’t trust (most) password strength meters. SamuraiSafe uses the password strength meter that was the best performing. ZXCVBN from DropBox.

The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

August 2014

A security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. The authors identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through case studies. The attacks are severe: in four out of the five password managers studied, an attacker can learn a user’s credentials for arbitrary websites.

Password Managers: Attacks and Defences

August 2014

A study of security of popular password managers and their policies on automatically filling in Web passwords. Browser built-in password managers, mobile password managers, and 3rd party managers are examined. Significant differences in autofill policies among password managers are observed. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user.

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?

March 2012

This paper by Belenko and Sklyaro from Elcomsoft analyses a number of iOS and Blackberry password managers and their failings.

Resources

SamuraiSafe Encryption Algorithms

May 2013

Should you trust SamuraiSafe? The core encryption algorithm used in SamuraiSafe is published on github. However, as Belenko and Sklyarov (above) point out, you should always also set a device password, and encrypt your device backups.

Android vs Apple iOS Security Showdown

July 2012

Comparison of iOS and Android security, security best practices, a presentation from Tom Eston.

Products