Log in

View Full Version : Jenneth Super-Reviews Wallet Software


Janak Parekh
02-10-2003, 11:05 PM
<div class='os_post_top_link'><a href='http://www.jenneth.info/Wallet%20software%20head%20to%20head.htm' target='_blank'>http://www.jenneth.info/Wallet%20so...20to%20head.htm</a><br /><br /></div><a href="http://www.jenneth.info">Jenneth</a> is turning into a prodigious reviewing machine. Her latest addresses something I've seen a lot of lately on our forums - which of the three popular wallet software (eWallet, FlexWallet, or CodeWallet) should you use? There's no one answer, but Jenneth has her preferences in a voluminous review. Let's just hope she didn't type this review using <a href="http://www.pocketpcthoughts.com/forums/viewtopic.php?t=7152">Fitaly</a>... ;)

Rirath
02-11-2003, 03:04 AM
Dang... she comes off a little harsh on FlexWallet. :? It's not near as bad as it sounds.

However, I would place the ability to further customise existing card (by inserting graphics and sounds) above the ability to create and edit card templates, as many people may be quite happy with the existing card templates available with the program.

Noticeably missing from FlexWallet is the ability to lock the wallet after a certain number of incorrect password attempts - for those that regularly leave their Pocket PC behind in a public place (such as a work area), such a feature is definitely necessary.

Boy do we have different priorities... I also have no problem with numeric only passwords. They're quick to type in on both the desktop and PPC. I don't think a simple alphanumeric password is going to stop any hacker. As for locking after a number of tries... that would annoy the hacker at best. If you've got info that sensitive, why would you leave the PPC unattended in public to begin with?

She does, however, list some features I'd like to see implimented.

dbman
02-11-2003, 04:03 AM
Since I own Virtual Wallet, I have to add my two cents. Virtual Wallet is a program that stores organized data in an encrypted form. It includes a free desktop program too.

I tried the others and settled on this program. It is free form so I can store my data using text and html. Anything else is just eye-candy and adds nothing to the functionality I wanted. I also have to wade through fewer screens to get at my data.

My only complaint with Virtual Wallet is it seems just a little sluggish. Regardless, I like what it does and I have not had a single problem with it. To bad the reviewer feels that the last revision date for a program excludes it from consideration. I think it would have compared favorably and should have been included. I think in many ways, it is more versatile than its competition.

blusparkles
02-11-2003, 05:02 AM
LOL - my intention was not to be "harder" on any wallet program - I tried to be as objective as possible. That being the case, I also had to comment on what I personally felt were more important features, though of course, as I mention in the review, this is not something that everyone would agree with.

Also, the practice of locking something for a certain period of time after a number of unsuccessful password attempts is one of the most effective forms of password security. I would think that such a feature would be to deter nosy workmates or family members, rather than "hackers" (do you mean crackers?), who would likely have no desire to crack into someone else's "Palm Pilot" (I'm being ironic there).

I fully intended on including Virtual Wallet in my review. However emails I sent to Virtual Wallet regarding whether they were intending to update the product went unanswered. I also installed Virtual Wallet onto my iPAQ and learnt how it worked. It uses an entirely different paradigm to the other programs, using "pages" rather than "categories" to organise each card. Though I was impressed with the fact that you could use import html files as cards.

Part of the reason I wanted to do this review was to determine whether any one wallet program satisfied all of my needs, knowing from the outset that this wasn't going to be the case. I looked at all four programs and found that they were all lacking in at least one main respect. Based on this, I reviewed the three programs that were updated on a regular basis and thus were more likely to add these new features.

Pony99CA
02-11-2003, 05:30 AM
Dang... she comes off a little harsh on FlexWallet. :? It's not near as bad as it sounds.

However, I would place the ability to further customise existing card (by inserting graphics and sounds) above the ability to create and edit card templates, as many people may be quite happy with the existing card templates available with the program.

Noticeably missing from FlexWallet is the ability to lock the wallet after a certain number of incorrect password attempts - for those that regularly leave their Pocket PC behind in a public place (such as a work area), such a feature is definitely necessary.

Interestingly, the comparison table on the review page says "Yes" for all three program in the Lock after specified number of incorrect password attempts row.

Given the text specifically says that's not supported for FlexWallet, I have to assume that the table is incorrect.

Steve (the review reviewer :-))

blusparkles
02-11-2003, 05:44 AM
Oops, my bad - thanks for pointing this out :oops: I'll change this when I get home :)

Rirath
02-11-2003, 07:28 AM
LOL - my intention was not to be "harder" on any wallet program - I tried to be as objective as possible. That being the case, I also had to comment on what I personally felt were more important features, though of course, as I mention in the review, this is not something that everyone would agree with.

Indeed, just doing my part to speak as a FlexWallet fan and rebut it's features. Don't want someone reading this to think FlexWallet is inadequate or anything.

Also, the practice of locking something for a certain period of time after a number of unsuccessful password attempts is one of the most effective forms of password security. I would think that such a feature would be to deter nosy workmates or family members, rather than "hackers" (do you mean crackers?), who would likely have no desire to crack into someone else's "Palm Pilot" (I'm being ironic there).

I would think family members and nosy workmates wouldn't A) be playing with your pocket pc and/or B) know it has a lock. In which case you'd come back to the unit and surprise, it's locked for the next 30 minutes because your cousin billy wanted to play solitaire. If a person really wanted the info inside, they'd probably just steal the unit and spend all the time they want on getting into it. All the more reason to simply not leave it lying around. (By the way, I haven't tested or checked... but could a soft reset get around the 30 minute wait? Just curious.)

As for hacker vs cracker, I'll stand by what I said. It was by far close enough for the purposes, and personally I think anyone trying to get access to your data would have illegal intent. Hacker: "One who illegally gains access to or enters another's electronic system to obtain secret information or steal money." - Cracker: "One who makes unauthorized use of a computer, especially to tamper with data or programs."

At any rate, I'm not trying to refute your review or say you're wrong about any of the opinions. I simply gave the opposite view from a FlexWallet fan. Which is simply that the two quotes I posted may not be drawbacks at all.

Andy Whiteford
02-11-2003, 12:30 PM
A great comparison none the less. Good work Jenneth. I think this is one of those types of apps that most PDA users will get a use from so this article was a long time in coming.

I personally use eWallet. I haven't tried the others, eWallet was my first but it does all I need and is simple to use. I do like the look of Code Wallet Pro but personally see no need to change at this time.
Perhaps new versions will incorporate the suggestions you made and make for a more tempting product.

etron
02-11-2003, 04:53 PM
I was a palmVx user, and was using wallet type software, but it was entirely free (forgot the name, but the encryption was good). When I switched to my e740 several weeks ago, I realized that was no such thing as free lunch in the PPC world when it comes to good wallet software.

I tried eWallet and FlexWallet, and pricing was really important to me, so I was really close to buying FlexWallet for $20. That same weekend, they dropped their price to $4, and it obviously was an easy decision now. I agree that it should support alphanumeric characters (it's pretty easy to break a numeric only password, some brute force software can run over a million combinations a second, depending on the hardware). My numeric password is VERY long, but I am hoping that they will support alpha numeric characters in their next release. Great review, eventho I personally haven't had any issues or negative feelings except for the password mechanism.

Rirath
02-11-2003, 05:12 PM
I agree that it should support alphanumeric characters (it's pretty easy to break a numeric only password, some brute force software can run over a million combinations a second, depending on the hardware).

I'd just like to ask... why couldn't the same brute force program crack an alphanumeric code almost as quickly?

etron
02-11-2003, 05:20 PM
well lets say your password is 12345 (I hope it isn't lol)

a brute force cracker can nail this number pretty fast, especially if the cracker is aware that the password is numeric only. Now if you add one single alpha numeric character, then the brute force cracker will have no luck with the numeric only crack attempt. So he has to try "mixed mode", there are so many possibilities if you add single alpha numeric characters to this numeric password.

Also, there are only 10 different numbers, and 26 different alpha numeric characters. So that makes it a bit more difficult.

Check out http://www.sans.org/resources/policies/Password_Policy.pdf for a really good guide on password policies, it isn't boring text, it's something everyone should know, it's only 3 pages in PDF.

Janak Parekh
02-11-2003, 06:23 PM
... in other words, you're talking 36^n instead of 10^n possibilities to check for in a brute-force crack. For sufficiently small n, this is a very, very substantial difference.

--janak

Andy Whiteford
02-11-2003, 06:52 PM
So 2003 isn't a very good password?
Hmmm, okay.
Me runs and starts changing stuff! :D

mel
02-11-2003, 07:44 PM
I just wanted to clarify this numeric password issue. The password itself is encrypted and stored inside your wallet with a 128-bit key, which is alphanumeric and 16 bytes long (the user does not have access to this key, it is used internally and generated randomly). So, an attacker would first have to break that 128 bit password to get to the numeric password you've chosen. Not only that, a hacker would need to know the file format used by FlexWallet (say a file is 200K in size, where in those 200K is the password stored?). FlexWallet does not use some well documented format such as .zip or .doc files. It has a properitory format, created by TwoPeaks and not published. So, a brute force attack is possible in theory, but very hard in reality. We have made the numeric password only as a convenience to the user (the large buttons are easy to tap with your stylus or finger). It is easy for us to make it an alphanumeric password, but that would take away some of the ease of entering the password. You decide!

Thanks for the comments.
-Mel
Two Peaks Software

Pony99CA
02-11-2003, 09:03 PM
... in other words, you're talking 36^n instead of 10^n possibilities to check for in a brute-force crack. For sufficiently small n, this is a very, very substantial difference.

I think you mean for sufficiently large values of n, as the difference grows exponentially. For n=1, a small number, the values are 36 vs. 10, which is not substantial.

For n=4, a numeric-only password will have 11,110 values. (Why not 10,000, you may ask? Because 10,000 is simply the number of four-digit passwords; there are also three-digit passwords, two-digit passwords and one-digit passwords.) For alphanumeric passwords, there are 1,727,604 values -- more than 100x as many!

You probably meant that very large values of n would be impossible to brute force even for numeric-only passwords, but I was feeling pedantic. :-D

And, if case is important (which in passwords it usually is), there are at least 62 possible choices, making brute force even slower. For n=4, that means 15,018,570 possible passwords.

Steve

Janak Parekh
02-11-2003, 09:13 PM
You probably meant that very large values of n would be impossible to brute force even for numeric-only passwords, but I was feeling pedantic. :-D
No, I really meant for small n. Both grow exponentially, so for large n it doesn't really matter; both are insanely large. For small n, though, 36^n is a much bigger number, which is useful. Your example with n=4, which I consider small, proves my point perfectly.

Would you be happy if I said small n, n > 1? However, 36 is still a lot more than 10. :D

Fortunately, the Two Peaks guys aren't idiots and they have implemented numeric passwords in such a way that it's hard to brute-force even if you get ahold of the file. :)

--janak

Ekkie Tepsupornchai
02-11-2003, 09:30 PM
Having owned CodeWallet and having just purchased FlexWallet (for 4.95), I'm not totally convinced I want to switch.

I love the interface on FlexWallet and the template editor is a HUGE plus, but so far, I've found the CodeWallet desktop program to be far more stable (FlexWallet crashed after some time spent entering new data resulting in lost data) and the CodeWallet PPC program seems to be far more responsive (scrolling up and down an opened card in FW seems to be real slow).

In summary, FlexWallet looks great and supports great features, but CodeWallet has proven more robust.

Pony99CA
02-11-2003, 10:02 PM
You probably meant that very large values of n would be impossible to brute force even for numeric-only passwords, but I was feeling pedantic. :-D
No, I really meant for small n. Both grow exponentially, so for large n it doesn't really matter; both are insanely large. For small n, though, 36^n is a much bigger number, which is useful. Your example with n=4, which I consider small, proves my point perfectly.

Would you be happy if I said small n, n > 1? However, 36 is still a lot more than 10. :D

Nope, I wouldn't be happy. I told you I was feeling pedantic. :-)

36 isn't even an order of magnitude greater than 10, but, as n increases, the difference grows more substantial (two orders of magnitude when n=4). In math, saying "sufficiently small" would imply decreasing n made the difference bigger, which it doesn't.

For sufficiently large n, it will be impossible to brute force either method, but that would be true even in a linear relationship. :-)

Hey, my degree in Math from the University of Michigan has to mean something, right? :-D

Steve

Janak Parekh
02-11-2003, 10:05 PM
Hey, my degree in Math from the University of Michigan has to mean something, right? :-D
OK, fine. :-D I think you get my point though.

Now I remember why I didn't pursue a math degree. :lol:

--janak

blusparkles
02-12-2003, 12:09 AM
I just wanted to clarify this numeric password issue. The password itself is encrypted and stored inside your wallet with a 128-bit key, which is alphanumeric and 16 bytes long (the user does not have access to this key, it is used internally and generated randomly). So, an attacker would first have to break that 128 bit password to get to the numeric password you've chosen. Not only that, a hacker would need to know the file format used by FlexWallet (say a file is 200K in size, where in those 200K is the password stored?). FlexWallet does not use some well documented format such as .zip or .doc files. It has a properitory format, created by TwoPeaks and not published. So, a brute force attack is possible in theory, but very hard in reality. We have made the numeric password only as a convenience to the user (the large buttons are easy to tap with your stylus or finger). It is easy for us to make it an alphanumeric password, but that would take away some of the ease of entering the password. You decide!

Thanks for the comments.
-Mel
Two Peaks Software

I see your point, though CodeWallet Pro and eWallet both let you use numeric passwords as well, providing a large keypad for convenience. I think it's good to have a choice over whether you wish to use numeric passwords or alphanumeric passwords, which was the point that I was trying to make in my review.

Also, I don't think the "average user" would really know about all of the things you described above about "brute force attacks" (I know I didn't!) - all they would know is that they're putting a heck of a lot of personal information into their wallet file, and would probably like the peace of mind knowing that it's protected by an alphanumeric password (as most people have a vague conception that alphanumeric passwords are more secure than numeric ones).

Pony99CA
02-12-2003, 10:13 PM
Hey, my degree in Math from the University of Michigan has to mean something, right? :-D
OK, fine. :-D I think you get my point though.

Now I remember why I didn't pursue a math degree. :lol:

:lol:

Be glad I dropped my plans for law school and majored in Math and Computer Science instead. :-)

Steve

Pony99CA
02-12-2003, 10:17 PM
Also, I don't think the "average user" would really know about all of the things you described above about "brute force attacks" (I know I didn't!) - all they would know is that they're putting a heck of a lot of personal information into their wallet file, and would probably like the peace of mind knowing that it's protected by an alphanumeric password (as most people have a vague conception that alphanumeric passwords are more secure than numeric ones).

Well put, Jenneth. Too often, we software developers forget that our products aren't used exclusively by techno geeks like us. :-) (Well, the software development tools I worked on probably were, but that's another story. :-D)

Steve

Kati Compton
02-13-2003, 04:48 AM
Hey, my degree in Math from the University of Michigan has to mean something, right? :-D
OK, fine. :-D I think you get my point though.

Now I remember why I didn't pursue a math degree. :lol:


So guys - when are you going to break out the "Big-Oh" notation? ;)

Janak Parekh
02-13-2003, 05:20 AM
Be glad I dropped my plans for law school and majored in Math and Computer Science instead. :-)
Argh, you got me again! Not a day when I can smack you down with my witty repartee (http://ars.userfriendly.org/cartoons/?id=20030207). :D

So guys - when are you going to break out the "Big-Oh" notation? ;)
No - please - let's not start debating the order of magnitudes of encryption algorithm efficiencies as a software comparison guideline. 8O Talk about straying from "average user". :lol:

--janak

Pony99CA
02-13-2003, 09:40 AM
So guys - when are you going to break out the "Big-Oh" notation? ;)
To make a joke about women looking for the "Big O" or not to make a joke. That is the question. :rofl: (Hey, a dirty mind is a terrible thing to waste. :-D)

Steve