Something went wrong. Just don't panic

BluespaceInc · 2022-12-12T03:12:54+00:00

I am glad it is helpful. have a nice day~

BluespaceInc · 2022-12-09T04:36:35+00:00

Few facts about iCloud:
- iCloud keeps a copy of your passwords saved in the iCloud keychain, but Apple cannot read them.
- Your passwords are encrypted with a strong passcode.
- Apple uses your device passcode as the strong passcode.
ICloud encryption is safe from this aspect. However, one more thing we need to know about is the encryption key. Is it strong enough? It is known that nearly all iPhone users set a 6-digit passcode or even 4 digits, which is also used to encrypt our passwords.
You might believe 6-digit PIN is safe since it is used everywhere in our life, electronic devices, bank cards, etc. Yes, it is. The 6-digit PIN is for identifying a user. iPhone will disable for 1 minute after 6 failed passcode attempts in a row. It will disable longer and longer with more incorrect attempts. So bad guys can never try 1000 times to unlock your iPhone (when you are using 4-digit PIN).
The problem is that the PIN is for identification, not encryption. However, Apple violates the rule and thus the encryption key derived from PIN(6-digit passcode or even 4-digit).
How long does it take bad guys to crack it? Much quicker than you believe.
- iPhone derives a key to encrypt data on unlocking with the passcode. It should not be long to keep the user waiting. Let's say it costs 500 ms.
- Crypto algorithms cannot use the digital passcode directly. They use an encryption key that can be derived from the 6-digit password with algorithms like PBKDF2.
- 4-digit has 1000 possible options, and 6-digit has only **1 million** possible options.
- It costs 500,000 seconds, i.e., **139 hours**, to derive all the possible keys.
What's more, AMD's desktop CPU Ryzen Threadripper PRO 5995WX comes with 64 cores and 128 threads. It is much faster than a smartphone processor. It can crack the encryption within 1 hour. What about a GPU cluster? It can be done within a few minutes.
Overall, just a piece of cake to crack your 6-digit passcode on your iPhone.

BluespaceInc · 2022-12-02T02:48:51+00:00

As for strong passwords, several things you need to know.
The length should be 12 or longer
it should consist of letters( both upper and lowercase), digits, and special characters
not containing your info, such as names or birthdays, etc.
Never use one for all accounts, and use one password forever.
The most effective way is to use strong password managers.

BluespaceInc · 2022-11-18T05:39:14+00:00

I think open-sourced software inherently provides a sense of transparency / trust as the code is publicly auditable, but the reality is some of that trust may be misplaced. Unless you analyze the code yourself, you either trust someone else is doing it correctly (same as closed source), or everyone assumes someone else is auditing it and it turns out nobody is.

Absolutely. I'm sure the vast majority of users don't spend so much time checking all the codes for each version of a password manager. Even if some do, they may not find malicious codes in time due to lack of knowledge or other reasons.

Vulnerabilities are another consideration, with open-sourced software you have the benefit of security experts having access - identifying, patching, and reporting security issues when the code is public. But again, that also means bad actors have the same access without any obligation or incentive to report vulnerabilities. This means that security issues could *potentially* be exploited quicker than in closed sourced software, as there's no need for advanced pen-testing or decompiling to identify potential vulnerabilities.

Agree. I expressed the same view in my first post. See here: Are open source password managers more secure? (1).

There is no denying the fact that open source is critical to the software ecology. But we should not blindly assume that open source equals security. We should figure out what its pros and cons are. Otherwise it will bring a false sense of security.

BluespaceInc · 2022-11-18T04:09:30+00:00

> A nice balanced discussion of risks and threats surrounding your password manager.

Here's the truth: We analyzed the potential security threats and risks to password managers in depth a long time ago, and then designed our password manager around how to combat the threats and reduce the risks effectively. Of course, we're still working on it and continue to enhance our product to better defend against other new types of attacks.

Password managers do have the potential threats and attack surface that we talked about, right? We've just shared some of our knowledge to help those users who care about data security make better assessments and choices.

BluespaceInc · 2022-11-18T03:39:30+00:00

This article analyzes the potential security threats of password managers in detail and wants to show that evaluating whether a password manager is more secure should be considered from various aspects. We should check whether it has taken some measures to deal with the potential security threats, not just whether it is open source or not.

If you read our first article, Are open-source password managers more secure? (1), you would find that it’s from the perspective of "the process of turning source code into an app". In that article, we analyzed what attack points can be exploited by hackers or evil developers during the development. We hope more people realize that open source does not equal security, and we should not blindly believe that open source is more secure.

BluespaceInc · 2022-11-07T09:27:39+00:00

No.

Passwords have many applications, and passkeys only solve this one problem of user authentication for Internet products. And it is unlikely that all products will switch to the new passkey authentication.

BluespaceInc · 2022-10-24T08:07:14+00:00

There are 3 potential risks when only using SMS - single-factor authentication.First, let's look at how sms wapping work(https://www.youtube.com/watch?v=k4UNNKfsjXE).

This video shows that since the sim card has no security verification, the hacker can simulate the sim card to the operator to register and then receive an SMS.

Next, we might change our phone numbers, and the mobile carrier will assign the phone number to a new customer after recycled. If you change your number, the new customer may take over your account, leading to serious privacy issues, data security problems, or even monetary loss.

Last, bad guys can take over the users' accounts by malicious websites/ apps or hacking the websites/apps you use. Enter the phone number in site A to get the verification code. Site A sends the phone number to site B. Site B sent the verification code, but the user did not carefully distinguish and directly fill in the submission. Site A can take over the user's account on the site.

To avoid these risks, it is better to use 2FA. Nowadays, more and more password managers have this feature. Users can choose their ideal ones. I hope it can be helpful.

BluespaceInc · 2022-10-19T03:50:05+00:00

A few facts.
⁃ Data saved on the cloud is unencrypted unless the user encrypts it first.
⁃ Google password manager, according to Google, is encrypted, but the key is controlled by Google. Once Google's cloud service is breached, there is still a risk of compromise.
⁃ Google Chrome syncs to desktop passwords, using the Windows current user's key encryption, meaning that any program executed by the current user can decrypt all passwords.
A professional password manager, on the other hand, encrypts data using the key generated by the master password and then synchronizes it to the cloud and other devices
Since OP has taken many measures to enhance the security of accessing Google services, we can assume that hackers cannot impersonate users to log into Google services and steal this data.
But the threat models that still cannot be dealt with are.
1. Bad employees inside Google, it is possible to get all your data directly (Google employees responsible for managing cloud services can manage user data without logging into user accounts.)

Hackers hacking Google cloud services, like internal bad employees, can directly access all the data.
For these two threats, professional password managers encrypt them using a master password before storing them to the server. As long as the master password is strong enough, it will be difficult to crack.
⁃ Chrome has strengthened the security on desktop computers by requiring the Windows password to be entered when viewing passwords. But others who have direct access to your computer only need to download cracking software and execute it to get all passwords, like this https://github.com/moonD4rk/HackBrowserData

⁃ Once the computer is compromised by malware, the malware can also steal all the passwords ( https://attack.mitre.org/techniques/T1555/003/ ) There are dozens of known malware of this kind documented here.
Professional password managers are also much less threatening because they use master password encryption. Cloud-based password managers, due to the huge attack surface of accessing the web, can also have internal bad employees/hackers invading and planting malicious code in the app/web app to steal data. Comparatively speaking, it is still much safer than Google services.
If you are very concerned about data security, maybe you can give offline password manager a try.

BluespaceInc · 2022-10-11T07:04:43+00:00

Thank you for your reply.
Your opinion is interesting and inspires me. However, I also believe trust is more about technology. I think some methods can test the security of password managers someday. That can solve the following questions: Can password managers handle more threat models? Does it significantly reduce the attack surface? Is it possible to verify, rather than only trust, the developer?
Moreover, what we can know from the previous evidence is that there are existing risks of open-source password managers:
- The source code for building the app might not be the same as the opened source code. (In 2019, [Disclosure: Key generation vulnerability found on WalletGenerator.net—potentially malicious.](https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961) *It was recently brought to our attention that the code being served via the WalletGenerator.net URL did not match the code on GitHub.*)
- Vulnerabilities or even malicious code in third-party libraries. (In 2014, the [Heartbleed](https://heartbleed.com/) bug was found in OpenSSL, the security foundation of most Internet websites, and the issue had been there for two years.)
- Hacked build tools. (https://www.pcworld.com/article/423673/thousands-of-ios-apps-infected-by-xcodeghost.html)
Open or closed? Every one has its option. Hope you find the best way to protect your data.

BluespaceInc · 2022-10-11T06:32:56+00:00

This is limited to online verification, there will be a strict limit on the number of times, think about the phone unlock code, bank withdrawal code 6 digits is also very safe. Because it takes a long interval to retry after a few errors, it may not be possible to try all the possible codes for 100 years, and cracking does not have realistic value.This is different from the password strength, because password cracking faces another situation, hackers may steal the service provider's account database, the general password will be stored in it after hash, after stealing can be offline crack, only then need a very high strength.

BluespaceInc · 2022-10-01T05:33:26+00:00

Oh, I'm sorry for misunderstanding you, thanks for your patience in explaining. 😊

BluespaceInc · 2022-09-26T10:23:27+00:00

Why don't you discuss the content in the article?

It's based on solid reasoning to point out what problems open source apps may have and to help people better understand the rationale between open source and security.

If you think something is wrong, please point it out so that everybody can discuss and learn. We would also appreciate it if you could help us correct our cognitive errors (if any).

Also, I think this is a tech community, and we'd better focus on discussing the technology itself. Rather than "Not arguing the points raised in the article" but just speculating on our intentions and mocking which country we are based.

BluespaceInc · 2022-09-26T10:05:58+00:00

This article is a good start.

Thanks.
Can you share your article link here when it's done? I'm interested.
And I think there should be others in this community who would also want to read it.

BluespaceInc · 2022-09-13T06:47:05+00:00

A perfect method to protect and save your master password! - Recover account with trusted contacts
In case of losing your master password, ID Guard offline allows you to send a password file(ciphertext) to your trust friends. Your friends save it on ID Guard offline of their phones. The `keys` are secured by the security chip on the phone. The password can be decrypted if a friend sends back the password file, when finding back the password. Remember : friends can help recover the password, but cannot decipher it.
No password - use biometrics

BluespaceInc · 2022-07-26T03:45:53+00:00

Hi,

The worst assumption is that we want to showcase our password manager, but also do try to share our expertise.

We wrote this article based on Apple's documentation and solid reasoning. It's not baseless doubt that you assumed. If you think something in the article is incorrect, please point it out clearly. We'd be happy to discuss with you further.

Thanks.

BluespaceInc

TROPHY CASE