Password Storing Programs on Palm-based PDAs
March 18, 2002
A common use for PDAs is store useful passwords (and similar kinds of confidential information, such as credit card numbers). Ideally, of course, you wouldn't use a PDA or paper to store passwords - you should memorize all your passwords. For many this is impractical, because they have too many passwords to remember.

Here are some suggestions for open source software / free software (OSS/FS) available for the Palm, For more information on the advantages of OSS/FS, see Why OSS/FS? Look at the Numbers!

If you choose to store passwords on a PDA, there is the risk of someone else getting your passwords by stealing the PDA or reading the PDA's database backups. Thus, if you use a PDA to store important passwords, you must use a program specifically designed to store passwords. You should not store important passwords on your PDA using the ``hide'' command, because these can be easily unhidden. The built-in password protection for hidden text is useless, because the data isn't actually encrypted. Password protecting the entire PDA doesn't really help either - most PalmOS systems support a ``debug'' command that bypasses the PalmOS login screen (for more about this and other PalmOS security weaknesses, see Security Analysis of the Palm Operating System and its Weaknesses Against Malicious Code Threats by Kingpin and Mudge, Usenix Security 2001).

For storing passwords, there's a wonderful problem - there are three programs that meet this need reasonably well. They all work the same way: they encrypt all the passwords and related data using a single ``master'' password, so instead of having to remember many passwords you only need to remember one. This means that the major weakness for any of these programs is the master password - you must choose a good, hard-to-guess master password or any of these programs can be quickly subverted, and you must remember the master password! A good password has at least 8 characters, includes uppercase, lowercase, a digit, and a punctuation mark, and isn't a dictionary word. Computers can rapidly try out different passwords, which is why short passwords are usually vulnerable to attackers.

Here are the three OSS/FS programs that do this, with some comments about each. These programs are worthless if they're not secure, so I'll particularly emphasize any clues to how secure they are:

Strip (GPL license). This program (version 1.0 AES), short for Secure Tool for Recalling Important Passwords, uses the 256-bit AES algorithm to encrypt all the data. AES is a relatively new encryption algorithm, but it's been heavily examined and it's been recently selected as the new U.S. encryption standard, so this is a very good choice. By default, Strip will automatically re-lock all the passwords when you turn off the PDA, and it always locks the passwords when you switch to another application; this is good, because it's safe and easy to understand. Strip also supports S/Key one-time-use passwords, which is very nice if you ever use S/Key. Strip has some clever mechanisms for sharing certain sets of passwords with other PDA users by beaming them (if you want to); see the documentation for more information. I don't recommend sharing passwords, actually, but you might want to conveniently share other confidential pieces of information this way. You can download ``StripCS'' to upgrade from older versions of Strip; new users don't need StripCS.
The user interface is easy to understand, but it's not quite as convenient as the other two programs' interfaces. When you start up Strip and enter the master password, you have to select the category and then the specific entry before you can see a given entry's password. This is very un-Palm-like; the other programs handle categories like the To-do application, letting you select categories to view on the top right and including an ``all' category to show all the entries. If you want to see or edit the notes, you have to hit yet another option; the other programs show notes along with the other data and don't require yet another action. Also, when you use the program for the first time, there's no confirmation of the master password: be sure to correctly enter the master password you intend to use!
In spite of these minor weaknesses, I like Strip the best. I'm not alone in this view; an article in Time Digital declared back in August 2000 that Strip is one of the ``Top Five Palm Programs You Should Grab''. Not just one of the top five OSS/FS programs - the top five, period.
Keyring (GPL license). This program uses the Triple-DES algorithm to encrypt the passwords. Triple-DES is a very well-tested algorithm, and is a very good choice as an encryption algorithm. It also uses the MD5 algorithm; recently MD5 has been shown to have weaknesses, so this might be a source of weakness for the program. When you first start up the Keyring program (version 1.1, 2002-03-11) you get a big warning that this is still beta software - while it's true that some beta software is better than some other released software, this doesn't inspire confidence! Its warning to save all data first was unfortunately true - when I selected one of its debugging options, my PDA crashed and lost all its data (note to self: don't use the debugging options!). To be fair, I didn't have this problem as long as I didn't use the optional debugging options. I'd use the older version, but one of the fixes removed a bug that might reveal passwords; hopefully by the time you read this that bug has been removed.
Keyring does not require users to enter the master password to see the categories or the names of the entries. While this doesn't give away the passwords or comments, in my opinion this is way too much information to give away to an attacker without the master password, and I view this as a minor security problem.
Once you enter a master password into Keyring, it's remembered for a (settable) period of time; you can also press a command to immediately lock the program. This means that you can leave the Keyring program, run another program, turn the PDA off and on, and still have the passwords available until the time limit is set. This approach works, but I think this approach greatly weakens its security. Allowing other programs to run while the passwords are vulnerable is asking for trouble; PalmOS doesn't have memory protection, and this approach appears to me to increase the risk of allowing the passwords to unintentionally leak. I'm not referring so much to intentionally malicious programs, but simply programs that might unintentionally create copies of secret data while they do other things. I also worry that the timers to re-lock the passwords might be circumventable (again, by secret debug commands or other faulty software in the Palm). You can set the memorized time to zero, but this makes the program harder to use than the other programs - you then have to re-enter the master password for every entry. At any time you can re-lock all the passwords, but it's easy to forget to do this. In short, developers seem to have made several design choices in the name of convenience that put the data at greater risk. With different user interface design choices, they could have made it as easy to use without the risks.
On the positive side, there is clearly an active development community that works to keep this program secure. Additions to version 1.1 (from version 1.0) improved the randomness of generated keys, and they made worked to destroy encryption keys in memory (a critical issue for this kind of program, and especially so since their design makes leakage more likely).
Lockbox (old-BSD-like license with required acknowledgement). Lockbox uses the RC4 encryption algorithm; I'm not aware of any fundamental breaks of in this algorithm, but it's not a very good choice as the underlying encryption algorithm. First, there is the potential for legal hassles (RSA has often claimed that it will sue unlicensed users; there seems to be no good legal grounds for this, but simply filing a suit could cause serious problems). RC4 is a stream cipher designed for communications, not for encrypting a block of data, so RC4 doesn't take advantage of the values of later bytes when it encrypts a byte (block cipher algorithms like triple-DES and AES can do a better job scrambling data across a larger block). RC4 is also hard to use correctly, and many systems have been exploited through these subtle errors (see my book on writing secure programs for some information about this). Lockbox's choice of RC4 makes me suspect that it might have a weaker designs in other areas too.
Lockbox has limited functionality, too. It can't generate random passwords (the other two can). It also can't hide the characters of the master password while you're entering it (the other two can optionally do this, and I recommend using this option). The Lockbox license on the website says that the source code can be redistributed, but the source code doesn't seem to be easily accessible. The vendor sells a ``Lockbox Pro'' edition, which has more features, and that probably explains why the source code has quietly ``disappeared.'' I see little evidence of an active community reviewing its code for security problems, so that gives me little confidence in the security of Lockbox.

I have not spent the time to do a thorough security analysis of the programs' actual code, because such analyses take a long time. Fundamentally, developers of these kinds of programs have to make sure that certain things are done right. For example, they need to make sure that they erase any memory that ever had passwords. This is why having the source code and an active community that reviews it is so important, to find and resolve such things.

Now, for those of you who think one of these programs will make you the next James Bond: forget it. Triple-DES and AES algorithms probably won't be broken in the near-term given current technology, but these programs won't counter assailants with many resources. The program in your PDA could be modified (e.g., by another program on the PDA, by someone briefly stealing your PDA, or via the computer the PDA syncs to). Someone could observe you entering your password (say through a micro video camera), or specialized equipment could get that information using the PDA's electromagnetic emissions. And of course, if an assailant pointed a gun to your head, you'd probably give them the password! But all of these attacks require more effort or gaul than the typical attacker most people are worried about. So for most people, these kinds of programs are good enough.

The bottom line is that I think Strip is the best. Strip's user interface isn't quite as convenient as the others (requiring 2-3 selections instead of one to see an entry), but it's easy to understand, has the most features, and doesn't have the more concerning security issues of the other two programs. In general Keyring is a close second and very worthy alternative, but its warning about being beta, its lose-everything crash that I experienced, and its way of leaving passwords open while the program isn't running causes me to rank it lower. Lockbox is the worst of the three; you'd be better off using one of the other two. Lockbox's inability to generate random passwords and hide the master password while you're entering it are serious weaknesses, and the ``disappearance'' of its source code gives me more concerns. If you use any of these programs, be paranoid (for example, turn off beaming by default and limit what programs you load onto your PDA).

About the Author

David A. Wheeler is an expert in computer security and has written several articles on open source software / free software (OSS/FS). He's the author of Secure Programming for Linux and Unix HOWTO, Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!, More than a Gigabuck: Estimating GNU/Linux's Size, and The Most Important Software Innovations. Mr. Wheeler's web site is at https://dwheeler.com.