SamuraiSafe is a password manager for iOS and macOS. Supports Touch/Face ID and Password Autofill.
Samurai Search searches source code, plain text and PDF files on your iOS device or in iCloud. You may then open selected files in your favourite editing/viewing app.
Password Security News
As hardware has become faster, the cost of a brute-force attack on an encrypted safe has fallen. To counter this risk, SamuraiSafe now:
- ensures your safe password is strong (by setting a minimum standard for safe passwords),
- can use a stronger algorithm to generate the encryption key:
Enhanced encryption is a new option in SamuraiSafe settings. Currently the default is off.
The safe password needs to be updated for enhanced encryption to be enabled.
The safe version will be indicated on the password history panel:
- V1: original safe format
- V2: adds password history, autofill customisation
- V2E: adds enhanced encryption key
Note: safes with enhanced encryption won’t be recognised by old versions of SamuraiSafe (i.e. older than V1.5.16 on macOS and V1.6.29 on iOS). They will fail to open with an incorrect password message. So ensure all your copies of SamuraiSafe are up to date prior to enabling this feature.
If Enhanced Encryption is disabled, new safes will have standard (V2) encryption, and changing the safe password downgrades the safe to standard (V2) encryption.
iPhone 6s: ~224ms, iPhone 14: ~58ms. ↩
LastPass notified customers on their blog of a Security Incident. The initial incident was in August 2022, with LastPass expressing confidence that only a development environment had been accessed. An update in September 2022 reiterated that position.
Subsequent updates have detailed loss of backups of encrypted customer vaults, including unencrypted fields and IP addresses. LastPass customer data including company names, end user names, email addresses and telephone numbers were also lost.
This begs the questions:
a) Why does lastPass hold any customer vault data,
b) why are some fields unencrypted,
c) why are IP addresses logged?
What wasn’t lost are the master passwords, which don’t leave the end user device. However, this means the data is only as safe as the strength of that master password. Further analysis of the breach is explored in What’s in a PR statement: LastPass breach explained
The pseudo random number generator (PRNG) used to generate passwords for the Kaspersky Password Manager was very weak, and wasn’t not suitable for cryptographic use. It was being seeded by the current time (in seconds), which meant that every instance of the Kaspersky Password Manager in the world would generate the exact same password at a given second. it was therefore very easy to bruteforce. It has subsequently been updated.
SamuraiSafe uses a cryptographically strong random number generator for generating passwords.
This article points out that if your iOS passcode is discovered, your passwords stored in the iOS KeyChain will be exposed. The solution is to store your passwords somewhere else. Like SamuraiSafe.
If you use SamuraiSafe for autofill, knowing the iOS password won’t expose your passwords stored in SamuraiSafe. If you have enabled TouchID or FaceID, you need a valid biometric authentication in order to access SamuraiSafe. If you add a new TouchID or FaceID credential, SamuraiSafe will invalidate the stored SamuraiSafe password.
SamuraiSafe resisted adopting password autofill of web pages within the web browser, as the implementations were often vulnerable to compromise. SamuraiSafe now adopts Apple’s AutoFill Credential Provider Extension interface which is built into iOS/iPadOS/macOS. It aims to avoid such vulnerabilities.
Importantly there is no auto in Autofill. User authentication and confirmation is always required. In addition, Apple goes to some lengths to ensure the websites or domain associated with an application are legitimate, although one can’t discount the possibility that these mechanisms may be circumvented in certain situations.
Some articles about things going wrong:
- Web trackers exploit browser login managers – Princeton Centre for IT Policy – Dec 2017
- Potent exploit underscores the dark side of password managers – Ars Technica – Mar 2017
Security and Privacy often incur a tradeoff with convenience. Solutions are often complex and may not be correct or complete. By keeping things simple the risks of vulnerabilites is reduced.
An analysis of five popular commercial password managers discussing previously disclosed vulnerabilities and exploits for newly discovered vulnerabilities. Many of the previously reported vulnerabilities have been found to persist.
An attack on server API used by a popular password manager. The exploit tricks the password manager server to disclose your encryption key. It arises from an interaction between a trusted extension user interface with web applications.
SamuraiSafe never uploads your private key anywhere. It has no centralised server functionality.
By analysing password managers in running states on Windows 10, ISE found a fatal flaw in an otherwise good password manager. This type of exploit requires malicous access to the OS, so potentially applies to macOS (or a jailbreaked/compromised iOS).
This highlights the difficulty of securing data on a desktop system, and indicates that password managers that remain active for long periods of time need to be particularly well designed. Limiting the time active is a sensible strategy.
Diceware is an effective way of generating strong passwords by rolling dice. Ars notes the creator now recommends using six words where five were previously recommended. The SamuraiSafe passphrase feature is modelled on Diceware but uses a larger word list (~21,000 vs 7,776 for Diceware).
Should You Use a Password Manager? discusses the pros and cons of using a password manager. Am I An Idiot for Still Using a Password Manager? questions the risks of managers that store your data server side.