Samarama: iOS, macOS software developer

Why should I use a password manager?

Some articles on password managers:

Am I An Idiot for Still Using a Password Manager? – Gizmodo – June 2015
Should You Use a Password Manager? – Tom's Guide – June 2014
Why You Should Use a Password Manager and How to Get Started – How To Geek – March 2013

Dangers of auto-fill in web browsers

SamuraiSafe doesn't use autofill of web pages with the web browser – but many password managers do – and there are risks in doing so:

Web trackers exploit browser login managers – Princeton Centre for IT Policy – December 2017
Potent LastPass exploit underscores the dark side of password managers – Ars Technica – March 2017
How I made LastPass give me all your passwords – Detectify Labs – July 2016

Security and Privacy often incur a tradeoff with convenience. Solutions are often complex and may not be correct or complete. My view is keep things simple. See also Password Managers: Attacks and Defences below.

The SamuraiSafe Design Philosophy is minimalist – simple and secure, with your private data fully under your control.

SamuraiSafe News

Password History and Safe Format Upgrades (iOS and macOS)

May 2018

SamuraiSafe now supports password history (retaining previously saved passwords). In order to use the Password History feature, each password safe requires a file format upgrade. It is important not to enable this option until all your devices on which you use SamuraiSafe are updated. See Support for details on migration.

Change Warning Dialogs for iCloud safes on iOS 11 & macOS 10.13

February 2018

Apple has introduced in iOS 11 and macOS 10.13 low level notifications when iCloud documents are opened by an app. A side effect of these notifications, and the way SamuraiSafe is implemented, is that you may receive a warning of changes being made on other device, when a change has not been made — rather the safe has simply been opened on the other device. See Support for details.

SamuraiSafe for iOS V1.4.12

September 2017

Added Touch ID/Face ID, Drag and Drop for iPad and improved password generation options.

SamuraiSafe for macOS V1.3.13

July 2017

After a short flurry of updates during the Aussie winter:
• New pass phrase generator option modelled on Diceware.
• New standard password generator (faster, and the frequency distribution of character classes is better).
• Added tabbing control [macOS 10.12]+.
• Improved security by ensuring that group and entry titles are never visible on screen when safe is locked.
• Ability to use SamuraiSafe with keyboard only has been restored.
• The menu bar icon has been restored.

SamuraiSafe for macOS V1.3.7

December 2016

• You can now drag and drop the NAME, PASSWORD and WWW (URL) buttons onto text fields in other applications.
• Improved notification of iCloud changes made on other devices. Reverts to read only mode if required.
• Clarified use of iCloud Drive for macOS 10.11 and later in Help.

SamuraiSafe for macOS CSV Migration tool

November 2016

If you wish to migrate to SamuraiSafe and your old data is in CSV format (or in an Excel file), a new tool may assist.
See Support for more details.

Password Security News

Diceware passwords now need six random words to thwart hackers

February 2017

Diceware is an effective way of generating strong passwords by rolling dice. Ars notes the creator now recommends using six words where five were previously recommended. The SamuraiSafe passphrase feature introduced in V1.3.13 is modelled on Diceware but uses a larger word list (~21,000 vs 7,776 for Diceware). The random number generator used in SamuraiSafe is cryptographically strong - but nothing beats truly random source of data.

Why you still can’t trust password strength meters

August 2016

Naked Security explains why you can’t trust (most) password strength meters. SamuraiSafe uses the password strength meter that was the best performing. ZXCVBN from DropBox.

The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

August 2014

A security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. The authors identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through case studies. The attacks are severe: in four out of the five password managers studied, an attacker can learn a user’s credentials for arbitrary websites.

Password Managers: Attacks and Defences

August 2014

A study of security of popular password managers and their policies on automatically filling in Web passwords. Browser built-in password managers, mobile password managers, and 3rd party managers are examined. Significant differences in autofill policies among password managers are observed. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user.

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?

March 2012

This paper by Belenko and Sklyaro from Elcomsoft analyses a number of iOS and Blackberry password managers and their failings.

Resources

SamuraiSafe Encryption Algorithms

May 2013

Should you trust SamuraiSafe? The core encryption algorithm used in SamuraiSafe is published on github. However, as Belenko and Sklyarov (above) point out, you should always also set a device password, and encrypt your device backups.

Android vs Apple iOS Security Showdown

July 2012

Comparison of iOS and Android security, security best practices, a presentation from Tom Eston.

Products