I'm curious about the specific security software you use for storing all of your passwords, software keys and other secret stuff. There are several great e-wallet programs out there, and they all seem kinda similar, so I'd like to know how you decided which one to buy. And, if you've got ideas for how these e-wallet programs can be improved, be sure to post that, too.<br /><br /><b>UPDATE:</b> Our poll got messed up somehow, so we'll have to re-do it in a new post (we can't reset the current poll).

I love these polls! They get more comprehensive all the time. Only one niggle: When used as a wildcard, one only needs one * to cover all possibilities.

Maybe you meant the ? or $ :)


Just joking. :lol:

Surur

I continue to use eWallet just for historic reasons. I know there are better apps out there; I just wish there was an app that would migrate data from one to the other...

Am also beta testing RoboForm PPC client which syncs to its PC brother (http://www.roboform.com/wince.html). I can easily foresee the day when RoboForm is used for all my net related password due to its form filling capabilities on the PC and a wallet for the rest of my secure data.

I continue to use eWallet just for historic reasons. I know there are better apps out there; I just wish there was an app that would migrate data from one to the other...

I agree, I also use eWallet and would never be bothered to re-enter all the data.

Don't forget that SplashData's SplashID (http://www.splashdata.com/ppc/splashid/index.htm)is now available.

im using Password Juggler NX 2004. Seems to be pretty good so far...

HanDBase!!

I've looked at the options and decided to stay with my Pocket Excel sheet encrypted with Resco Explorer. Already had Resco and Excel and most of the 'wallets' aren't cheap.

One of the things I've oftened wondered about on all or these super encrypted, 128 bit...da da da security programs. Isn't the key to all of this your password ? It seems as though no matter how strong any of these programs are if you use your first name for a password, for example, the application still starts up. Am I wrong in thinking that all of this is pure hype, is an Excel spreadsheet password protection any better than Resco or Flexwallet or anything else if you have an easy to figure out password ?

I put that question to this d.board when I was contemplating buying Resco's Explorer. It has great file explorer features and file encryption is just one of them.

A couple of respondents said an Excel password could be broken if I gave them my laptop or PPC and 30 minutes time. So I don't even use Excel's password function. I -encrypt- the Excel sheet via Resco and use a non-obvious password. The file actually disappears from the file list within Excel. It's only accessible through Resco Explorer, and the password is required to get it open.

I use splashID. I loved it on my palm and when I found it for the PPC, I moved everything out of cdkWallet.

I'll probably go to a canned solution soon. I'm looking at flex wallet right now.

Up until now has been Excel and then PGP encryption. Added benefit of being able to send and read encrypted mail.

Haven't used anything before last week. (Well, I used an encrypted and PW protected Word file...but yeah, not the best idea. ;)) Now I use FlexWallet 2005 and will continue to since I won a free copy. :) I don't have much to compare it to, but it seems like an awesome programs with great design and easy usability.

I purchased Flexwallet when they had the $5 sale on the PPC and desktop version.

Just PExcel and Resco FE encryption, simple.

I use iLock (http://www.pocketgear.com/software_detail.asp?id=12643). A new version is due in September with an associated desktop application.

Handango Vault. Got it free with my 3970

eWallet. Full versions of it and ListPro came bundled with my iPAQ (can't remember if it was my 3630 or 3765). Worked very well for me so when I sold my older iPAQ's I bought the "suite" version (eWallet, ListPro, and their Today screen clock/calendar/picture display utility who's name escapes me right now) since my original license stayed with the old iPAQ. The suite includes both PPC and desktop versions of both applications and costs $44 if I remember correctly. Thanks to the subscriber discount here I was able to take $7 off of that.

As to changes I can't think of any. It does exactly what I need and I'm quite happy with it.

If you are looking for the right tool: Read this review:
http://www.jenneth.info/archives/003008.html
http://www.jenneth.info/archives/003113.html

Was using eWallet, but had to hard reset one weekend and had trouble reloading it. The developers sent me my registration details on Monday, but in the meantime I'd switched everything over to Fann Software (http://www.fannsoftware.com)'s excellent TreNotes. I already used TreNotes for all my outlining, and its files can be password-protected. There's also a desktop component which I'd purchased, so I figured that if I used it, that's one less program in memory.

You forgot another one - http://keepass.sourceforge.net/ - and it's open source (free)!!

It comes with both a desktop and PPC version - the desktop version doesn't need an install.

It has some importing capabilities, including CodeWallet and CSV files.
It can export to TXT, HTML, CSV and XML.

It even allows you to use a USB key drive as a "password" - I know, not useful for us PPC users, but still a cool feature.

It has other neat security features like when copying your password to the clipboard, it will erase the clipboard in X seconds, so someone can't come after you and paste to see your password.

The only thing keeping me from converting to it from CodeWallet is that you cannot customize the fields (I hope they implement something like what Flexwallet just released!).

Still, it is worth a look - especially for those folks who would rather use Excel than pay...

I used eWallet 2.0 because it came free on my iPAQ 3650. I kept it on my iPAQ 3870, too, but eventually decided to actually pay and upgrade to get the improvements in eWallet 3.1.

I used to keep my credit card information in the Notes field of Contacts records, figuring my Pocket PC's strong password kept them safe. Obviously, the strong password didn't apply to my PC, so the synchronized data wasn't as secure, but I had less risk of losing that, too. :-)

Steve

You forgot another one - http://keepass.sourceforge.net/ - and it's open source (free)!!
Maybe he just didn't know about it. :-) I think I saw something about this on Tech TV's The Screen Savers, though.

It even allows you to use a USB key drive as a "password" - I know, not useful for us PPC users, but still a cool feature.
Why isn't this useful to Pocket PC users? Couldn't you just use an SD card for the same purpose (assuming you have an SD reader on your PC)?

What I'd really like would be a way to allow sending your credit card data via Bluetooth during a sale. That way you wouldn't have to take your physical credit cards anywhere. I know there are schemes to use your mobile phone to make payments, but I don't want my purchases showing up on my phone bill.

What we'll probably end up with is RFID payments, though. Credit cards will likely eventually have RFID chips embedded in them so you can just swipe your wallet near a reader. The one problem with that would be if you had multiple RFID-enabled credit cards with you -- imagine being charged multiple times for the same purchase. :evil: I hope the processors will be smart enough to ask you which card you want to use (showing the name of the card and maybe the last four digits of the account numbers).

Steve

I used to use eWallet, but I recently switched to SplashData's SplashID. This was my program of choice on the Palm, and I'm glad it's now available for the Pocket PC. It's the only program available that supports record for record syncing.

You are correct - I saw it on there as well...

I'm sure you could use it with an SD card too, but I don't know how that would work with the Pocket PC - meaning the act of putting the SD card into your PPC would function as your "password"? I suppose that would work, but I'm not sure this program does that yet...

Oh - man! You're hitting on a big sore spot with me. I have been hoping someone would come out with "electronic payment" or ID system for years!! I hate carrying all these cards for different places in my wallet (and credit cards and money too!). But as much as I want it, I don't know if I would trust it - for the same reason you just touched on - how would you know if someone didn't charge you multiple times or used the wrong "card". Taking it a step further - I would not want Stop & Shop to "scan" my device and find what other cards I possess - it would have to be like a browser cookie - they can only see if THEIR card exists in my device... And, of course, I'd be mighty peeved if I went to pay for something and my battery had died!! :oops: Sorry to get a bit off topic, but it will be interesting to see how this will come about - it has to at some point!!

If you are looking for the right tool: Read this review:
http://www.jenneth.info/archives/003008.html
http://www.jenneth.info/archives/003113.html

Dead links methinks.

Edit: 5 minutes later. Working again.

Bought softwinter sentry 2020 for both desktop and pocketpc - bit pricy but has worked very well. I currently have a 1mb encrypted folder under my documents that syncs to my pc and can be updated with anything on pocket pc or desktop - excel, word, txt etc.

I keep passwords in a word file, some financial data in excel etc. Great thing about Sentry is unlike most others you don't unencrypt the file use it and then re-encrypt - you mount the folder as a virtual drive with a timeout. Similar to pgpdisk. No chance of walking away and forgetting to re-encrypt later.

I swallowed hard over the cost when I purchased but I have had good value. It was the only option I could find at the time which was available on both desktop and pocket pc with a compatible data file that did not require explicit un-encrypt then re-encrypt.

Cheers

Crash

Oh - man! You're hitting on a big sore spot with me. I have been hoping someone would come out with "electronic payment" or ID system for years!! I hate carrying all these cards for different places in my wallet (and credit cards and money too!). But as much as I want it, I don't know if I would trust it - for the same reason you just touched on - how would you know if someone didn't charge you multiple times or used the wrong "card".
The system I was thinking of wouldn't be automatic. I'd open eWallet on my Pocket PC, tap the credit card I wanted to use and select a Send Card Details action which would transfer my name, credit card number, expiration date and (possibly) CVC number to the card reader. That would guarantee the store only used the card I wanted, while also preventing them from finding out about the rest of my cards.

Each card reader in the store would have Bluetooth ID displayed on it so you knew which card reader to send the data to. Of course, watch some hacker spoof the Bluetooth ID of the card reader and have you send him your data. :lol:

Steve

Very strange. When I voted, eWallet and FlexWallet both had 222 votes. Now they both have 309. 8O

Very strange. When I voted, eWallet and FlexWallet both had 222 votes. Now they both have 309. 8O
I just voted and now they have 313 each. 8O 8O

I used to use FlexWallet but now I have switched over to KeePass (http://keepass.sourceforge.net/). I find it has more features then FlexWallet. I haven't used that PPPC version yet but I'm very impressed by the desktop client.

You forgot another one - http://keepass.sourceforge.net/ - and it's open source (free)!!
Hey, thanks for the link, didn't know about it until now, I find it great. :)

Regards.

I used Splash ID on the Palm for years. when I recently switched to PPC , I was pleased to learn that I could use the same license. It's a great program.

I got Flex Wallet when it was $5 but I really missed having SplashID for my security and that changed when they lauched it late last month. So SplashID is what I use now.

358 a-piece now.

Very strange...

[quote="Swordsman74"]You forgot another one - http://keepass.sourceforge.net/ - and it's open source (free)!!

It comes with both a desktop and PPC version - the desktop version doesn't need an install.

Are the desktop and PPC versions fully integrated? I.e.: Editing on one version --> ActiveSync --> new data appears on the other version.

Heres another freeware one from soufce forge - http://sourceforge.net/projects/passwordsafe/

Other: TreeNotes

Haven't used anything before last week.
Wow! I haven't counted lately, but I bet I've got around 100 different passwords or "secret things" that I need to keep encrypted.

Maybe he just didn't know about it.
Actually, I didn't include it because it has such a relatively small share of the market. It's not practical or good survey design to include every possible option.

I hope the processors will be smart enough...
RFID chips and readers are certainly smart enough to handle situations like you describe. Most RFID systems employ passive chips (which require no integrated power source) which are activated when they receive a very specific radio signal.

Of course, the ideal mobile payment system would allow me to use only once account for all of my purchases, but that's not likely to happen.

Used to use eWallet, but since Splash ID came to PPC, I switched over in no time :D Just love its simplicity and easy of use. Had been using it on my Sony Clies and now I'm happy with it. Much easy to use than eWallet IMO. Best of all, I don't need to buy it again 'cause I already have the Palm version.

Cheers!

How important is it to be able to convert and transfer this kind of data from one e-wallet program to another? If you loved a new program but had to enter your info in again by hand, would that be a deal breaker?

How important is it to be able to convert and transfer this kind of data from one e-wallet program to another? If you loved a new program but had to enter your info in again by hand, would that be a deal breaker?

Two things for me... First, there would have to be some significant new feature(s) that would make me even consider using something new. I've used eWallet since it first came out and it does everything I need, so I can't imagine what that would be. Second, yes, if there were some feature that would make me pay the extra money to move, there would have to be an ewallet import facility or I wouldn't do it. The time needed to move everything over manually might be even more important to me than the cost.

BTW, as some others have noted, both eWallet and Flexwallet are still tied in the polls, now at 452. There's definitely something wrong with the polling software.

I use CodeWallet Pro, for one very good reason: I was given a free copy to review for another PDA site. :D

It's good for what I use it for.. which is not very much. So, I don't really see much wrong with it, but at the same time, I haven't really looked at the other ones to compare...

Very strange. When I voted, eWallet and FlexWallet both had 222 votes. Now they both have 309. 8O
I just voted and now they have 313 each. 8O 8O
Even stranger -- when I voted they both had 135. When I got notified of a thread update, both had 139.

UPDATE: And now both have 477. 8O Could there be some bug? It's hard to believe they're that evenly split.

Steve

Brad, is it possible that you have a problem with the voting? :?:

It seams that you are showing total votes for both ewallet and flexwallet?! :wink: They are always increassing at the same time!! For me, this look too bizzard.

PocketLock from Applian. Good, simple, well integrated, does the job. This is for encrypting any file, and I use it to encrypt doc files...

The voting has a bug indeed. In the form values, both have an ID of 3 and there's no 2. So, the results are always equal. To the form, both are the same...

LMAO. call in the php gurus.

forget the eye candy of these apps and use a true encryption product. I store all my information in POutlook and encrypt the notes with PGP. The only way to go.

forget the eye candy of these apps and use a true encryption product. I store all my information in POutlook and encrypt the notes with PGP. The only way to go.
I'll take a rich client that allows searching, desktop sync and consistant fields over encrypted text blobs to POutlook note fields any day. RC4 encryption with a 128 bit key is good enough for me. It isn't like I have nuclear launch codes. ;-)

I'm curious about the specific security software you use for storing all of your passwords, software keys and other secret stuff. There are several great e-wallet programs out there, and they all seem kinda similar, so I'd like to know how you decided which one to buy. And, if you've got ideas for how these e-wallet programs can be improved, be sure to post that, too.

I could tell you but then I'd have to kill you. 8O :worried: :wink:

RC4 encryption with a 128 bit key is good enough for me. It isn't like I have nuclear launch codes. ;-)

No but some of us have our entire lives in there. As computers get faster and more powerful cracking 128 bit encryption become more and more likely to occur in a relatively short amount of time.

ID theft is becoming a BIG problem. When I lost my Jornada a couple years back I was faced with the daunting challenge of changing about 60 passwords scattered both online, for my banking accounts, and with home and work systems. And never mind that I couldn't change my SSN number that also resided in that file. To make matters worse it resided in the safe store area. So a full hard reset wouldn't have deleted the file and since Codewallet pro was built into the safe store it was always remain on that system tempting some to try and crack my data. I went freaking nuts about this.
Thankfully the perpetrator returned the device. (It was at a Party and I didn't feel like dragging my brick with me in my pocket so it remained in my jacket pocket.) and all was right with the world again but I learned enough that day to know that I should
1. Have a Power on Password ALWAYS.
2. Have nicestart installed so after 4 attempts it formats the system.
3. Any private info NEVER gets stored in a CF, SD, or safestore area.
4. Encryption is your friend and there is no such thing as too much security. As long as its easy to use.


That innodent turned my life upside down. I never want to deal with that EVER again.

I know I should really get one of the password keepers, but I just haven't got round to it yet. Outlook still works for me, with my PPC having a power on password. However, incidents like the one Jonathan1 described make me think that I should take the plunge to a proper password store soon.

As computers get faster and more powerful cracking 128 bit encryption become more and more likely to occur in a relatively short amount of time.

That's only true in the instance of the software interface ALLOWING unlimited input attempts. Take the Pocket PC password encryption for instance - after five or so incorrect attempts, it starts to double the legnth of time between password entry points. After 30 or so attempts, you're waiting 20 minutes before you can try again, then 40, then 80, etc...since it's mathmatically impossible to crack a 128-bit encryption in under 100 attempts, the Pocket PC is more secure than you'd think.

The other question would be whether or not someone has written a cracking program that would even run on an ARM processor, one that would interface with the digital wallet software and continually pump passwords into it with a brute force attack.

I'm certainly not a security expert, but I think people sometime overdue the security risks associated with "only" having 128-bit security. It's not like we're talking about a Linux server that's on the 'Net and some script kiddie takes 10,000 zombies and hammers the server with random password attempts - it's a totally different scenario.

RC4 encryption with a 128 bit key is good enough for me. It isn't like I have nuclear launch codes. ;-)

No but some of us have our entire lives in there. As computers get faster and more powerful cracking 128 bit encryption become more and more likely to occur in a relatively short amount of time.
Personally, I think you guys are paranoid. 128bit encryptoin is roughly 309,485,009,821,345,068,724,781,056 times stronger than 40 bit encryption, which can be cracked in a day or so with a modern PC. That means with todays computing power, it could take 8,479,041,364,968,358,047,254 centuries to crack. I am not really concerned if Moore's law continues, doubles or even quadruples in my life time. :mrgreen:

Reply to Lex -

Yes, it syncs the file through ActiveSync so any updates made on the desktop will show up on the PPC.

As you might expect, there are fewer features on the PPC than on the desktop - the developer lists them on his site:

http://doncho.net/kppc/

Just an added note - the desktop version of KeePass was just updated today... A bunch of fixes, drag-and-drop entries, entry totals, other UI improvements...

And just to add to the pile of encryption posts, KeePass uses both AES and Twofish algorithms. Taken from the features page of their site:
# Even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe.
# Even quantum computers won't help that much, the algorithms are symmetric so its complexity would be reduced to its square root, anyway, the sun will go nova before you have decrypted the database.

:lol:

RC4 encryption with a 128 bit key is good enough for me. It isn't like I have nuclear launch codes. ;-)
No but some of us have our entire lives in there. As computers get faster and more powerful cracking 128 bit encryption become more and more likely to occur in a relatively short amount of time.
Personally, I think you guys are paranoid.
I tend to agree. And, really, aren't there better ways to steal somebody's identity (like stealing their wallet or purse)?

However....

128bit encryptoin is roughly 309,485,009,821,345,068,724,781,056 times stronger than 40 bit encryption, which can be cracked in a day or so with a modern PC. That means with todays computing power, it could take 8,479,041,364,968,358,047,254 centuries to crack. I am not really concerned if Moore's law continues, doubles or even quadruples in my life time. :mrgreen:
I agree again, but do wonder about one thing. If somebody doesn't use a password with 128-bits, is it still as secure? For example, if my password is xyz123abc, that's only 72 bits of information, so will be encryption be as strong? I doubt it.

Do I have to use a 16-character password to get close to 128-bit encryption? (I say "close to" because I don't know if you can put control characters in passwords in most eWallet applications, which would eliminate 32 of the 256 possible characters.)

Steve

That's only true in the instance of the software interface ALLOWING unlimited input attempts.
Unless someone can get access to the datafile without having to go through the PPC's interface -- such as if it the eWallet is sitting on an SD card. ;) But with a combination of careful policies, I largely agree with you. If Jonathan1 happens to be a sysadmin of a carefully-secured company, his requirements may differ, though. A lot of financial companies use SecureID and other tools to make password cracking as difficult as possible.

--janak

"Ed Hansberry I'll take a rich client that allows searching, desktop sync and consistant fields over encrypted text blobs to POutlook note fields any day. RC4 encryption with a 128 bit key is good enough for me. It isn't like I have nuclear launch codes. ;-)

As I said "Eye Candy" and that's it. I encrypt the note within the contact and I'm done. It gets synced to my desktop. No need for searching because the contact (Credit card company, Bank and/or Client) has the associated information within the notes field.

As for launch codes. Well I don't have access to that information but I do have Client credit card numbers, security codes to offices and homes along with my own information. This information will be encrypted to the highest level possible. As we know if they want to crack it they will. I trust PGP over any software that originated on a pocket pc and migrated to the desktop. Currently my encrypted information is protected with a 41 character passphrase which contains upper and lower case characters, numbers and symbols.

I've tried all these products and have found them cumbersome. I'm already in my contact information 98% of the time. To encrypt a note only takes a couple steps.

Select text
Cut or copy text
Open PGP
encypt clipboard
paste encypted data back
Done

I agree that these apps may do their job but I remember an old marketing phrase from Bell helmets.

"If you have a 10.00 head wear a 10.00 helmet"

Nothing is hack proof. They just don't want your information at this time. Just ask our friends at Microsoft. I remember a quote "There's now way to hack DRM". How long did it take for someone to hack it?

my encrypted information is protected with a 41 character passphrase

8O :shocked!: :crazyeyes:

Is this a pseudo-random password containing lower-case, upper-case, numbers and punctation/symbols? Not based on any dictionary words?

How many passwords like this do you have? (if more than one, what is the capacity of your brain? ;) )

How often do you have to reenter the password due a typo?

my encrypted information is protected with a 41 character passphrase

8O :shocked!: :crazyeyes:

Is this a pseudo-random password containing lower-case, upper-case, numbers and punctation/symbols? Not based on any dictionary words?

How often do you have to reenter the password due a typo?

It's a passphrase that does have some normal dictionary words but it also contains words for another language which is how I handle most of my passwords.

When I first started using PGP it took a few tries. You can choose to see the passphrase if you wish. Now I use Character/Letter Recognizer and almost never have to enter the phrase twice. Practice makes perfect :)

"Ed Hansberry I'll take a rich client that allows searching, desktop sync and consistant fields over encrypted text blobs to POutlook note fields any day. RC4 encryption with a 128 bit key is good enough for me. It isn't like I have nuclear launch codes. ;-)
As I said "Eye Candy" and that's it.

No, that's not it. What you derisively call "eye candy", others would call "user interface". Maybe you don't need any extra user interface, which is fine, but other people prefer a more friendly interface.

Your comments remind me of people who called Windows eye candy compared to DOS, or called high-level programming languages wimpy when compared to assembler.

As for launch codes. Well I don't have access to that information but I do have Client credit card numbers, security codes to offices and homes along with my own information. This information will be encrypted to the highest level possible. As we know if they want to crack it they will.
Again, that's not necessarily true. As was mentioned previously, RSA with a sufficiently long private key would take longer to crack than the life of the universe.

I suppose they could kidnap and torture you until you gave up the key, but I don't call that "cracking". :twisted:

I trust PGP over any software that originated on a pocket pc and migrated to the desktop.
Trust is certainly a valid issue. However, remember that PGP was basically created by one person (Phil Zimmerman (http://www.philzimmermann.com/EN/background/index.html)). Why assume another individual couldn't do something similar on a Pocket PC and migrate it to the desktop?

Currently my encrypted information is protected with a 41 character passphrase which contains upper and lower case characters, numbers and symbols.
How long would it take to crack that passphrase? How long would it take to crack a passphrase of 20 characters? How many bits of encryption are you using?

I've tried all these products and have found them cumbersome. I'm already in my contact information 98% of the time. To encrypt a note only takes a couple steps.

Select text
Cut or copy text
Open PGP
encypt clipboard
paste encypted data back
Done
There's the important piece. You have a process that, for you, is fast and efficient. Other people may prefer something different.

As I said, I used to store my credit card numbers as notes in Contacts records, but stopped doing that when I got eWallet. Would I move back to storing data there if I had PGP? Possibly, but I doubt it. I'm not unhappy with the system I have now, and the time it would take to move the data back to Contacts would put me off.

I agree that these apps may do their job but I remember an old marketing phrase from Bell helmets.

"If you have a 10.00 head wear a 10.00 helmet"
So would you spend $5,000 for a helmet? :-) Different people make different cost/benefit decisions.

I checked the PGP.com Pocket PC client Web page (http://www.pgpstore.com/product.html?productid=528842&languageid=1). A PGP subscription costs $65 per year (I think), while a lifetime license with no upgrades costs $135. That's a bit much for most people.

Nothing is hack proof.
Which would include PGP, right? ;-)

Steve

I've tried all these products and have found them cumbersome. I'm already in my contact information 98% of the time. To encrypt a note only takes a couple steps.

Select text
Cut or copy text
Open PGP
encypt clipboard
paste encypted data back
Done

So, say you have 250+ cards, as I do, and you want to search. Do you have a way to mass-unencrypt everything so you can search the notes? That is a little something the "eye candy" allows me to do. :roll:

So, say you have 250+ cards, as I do, and you want to search. Do you have a way to mass-unencrypt everything so you can search the notes? That is a little something the "eye candy" allows me to do. :roll:

Hmm... Interesting.. What would you be searching for within the 250+ cards? I guess this is where the apps differ. I have no need to search the encrypted data. I know where the information is so I just unencrypt that data.

I can do this on the desktop as long as my passphrase is cached.

No, that's not it. What you derisively call "eye candy", others would call "user interface". Maybe you don't need any extra user interface, which is fine, but other people prefer a more friendly interface.

Your comments remind me of people who called Windows eye candy compared to DOS, or called high-level programming languages wimpy when compared to assembler.

You're right. When comparing the apps to PGP the only difference is the "user interface" or "eye candy". PGP may not be pretty but it is powerful.

Again, that's not necessarily true. As was mentioned previously, RSA with a sufficiently long private key would take longer to crack than the life of the universe.

I suppose they could kidnap and torture you until you gave up the key, but I don't call that "cracking". :twisted:

I would never give up the key... :D

Trust is certainly a valid issue. However, remember that PGP was basically created by one person (Phil Zimmerman (http://www.philzimmermann.com/EN/background/index.html)). Why assume another individual couldn't do something similar on a Pocket PC and migrate it to the desktop?

You maybe right, only time will tell. It's personal preference I guess. I tend to trust a person/company with the most experience and someone with over 25yrs of experience in cryptography and data security where I'll spend my money.

How long would it take to crack that passphrase? How long would it take to crack a passphrase of 20 characters? How many bits of encryption are you using?

I'm currently using 256bits with a key size of 4096/1024.

There's the important piece. You have a process that, for you, is fast and efficient. Other people may prefer something different.

As I said, I used to store my credit card numbers as notes in Contacts records, but stopped doing that when I got eWallet. Would I move back to storing data there if I had PGP? Possibly, but I doubt it. I'm not unhappy with the system I have now, and the time it would take to move the data back to Contacts would put me off.

Makes sense. Time is money and that's why I prefer PGP that allows me to store my encrypted data in the application that I live through Outlook and POutlook.

So would you spend $5,000 for a helmet? :-) Different people make different cost/benefit decisions.

If the helmet is constructed better and I had the money YES. I currently own a $500.00 helmet. My head is worth much more than 500.00 but it's what I felt is best for the application daily street use. If I would be racing I would probably own a 700.00+ helmet.

I checked the PGP.com Pocket PC client Web page (http://www.pgpstore.com/product.html?productid=528842&languageid=1). A PGP subscription costs $65 per year (I think), while a lifetime license with no upgrades costs $135. That's a bit much for most people.

Correct. Some people use their PDA for personal use, I use my PDA for business use and I feel that 65.00 is a business expense that I can afford to keep my client information as safe as possible.

Nothing is hack proof.
Which would include PGP, right? ;-)

Possibly

As computers get faster and more powerful cracking 128 bit encryption become more and more likely to occur in a relatively short amount of time.

That's only true in the instance of the software interface ALLOWING unlimited input attempts. Take the Pocket PC password encryption for instance - after five or so incorrect attempts, it starts to double the legnth of time between password entry points. After 30 or so attempts, you're waiting 20 minutes before you can try again, then 40, then 80, etc...since it's mathmatically impossible to crack a 128-bit encryption in under 100 attempts, the Pocket PC is more secure than you'd think.

The other question would be whether or not someone has written a cracking program that would even run on an ARM processor, one that would interface with the digital wallet software and continually pump passwords into it with a brute force attack.


Janak mentioned that one wouldn't have to go through the OS interface. Let me elaborate. Someone could open your PDA, pop the memory chip out, and read it with a customized circuit board. The encrypted file is just 1's and 0's, so he could download it to his Cray and attack it with brute force.

Of course, that would be infeasible for cracking just one eWallet file. Such an approach would only be used by an organization that ran a volume business in PDA theft, credit card theft, and identity theft. I wonder if any such organizations exist???

The voting has a bug indeed. In the form values, both have an ID of 3 and there's no 2. So, the results are always equal. To the form, both are the same...

The form was designed by someone from Florida, right??

The voting has a bug indeed. In the form values, both have an ID of 3 and there's no 2. So, the results are always equal. To the form, both are the same...

The form was designed by someone from Florida, right??

:lol: Low blow. (but funny). :wink:

At some point I really will get myself some of that password "eye candy" to go with the "mind candy" that constitutes my PPC. :) (but not just yet).

As computers get faster and more powerful cracking 128 bit encryption become more and more likely to occur in a relatively short amount of time.
That's only true in the instance of the software interface ALLOWING unlimited input attempts. Take the Pocket PC password encryption for instance - after five or so incorrect attempts, it starts to double the legnth of time between password entry points. After 30 or so attempts, you're waiting 20 minutes before you can try again, then 40, then 80, etc...since it's mathmatically impossible to crack a 128-bit encryption in under 100 attempts, the Pocket PC is more secure than you'd think.

The other question would be whether or not someone has written a cracking program that would even run on an ARM processor, one that would interface with the digital wallet software and continually pump passwords into it with a brute force attack.

Janak mentioned that one wouldn't have to go through the OS interface. Let me elaborate. Someone could open your PDA, pop the memory chip out, and read it with a customized circuit board. The encrypted file is just 1's and 0's, so he could download it to his Cray and attack it with brute force.
Even with a Cray, how long would it take to break 128-bit encryption?

Of course, that would be infeasible for cracking just one eWallet file. Such an approach would only be used by an organization that ran a volume business in PDA theft, credit card theft, and identity theft. I wonder if any such organizations exist???
Why do you think only people with illegal intent would want to crack the encryption? There are legal groups that might have the computing power necessary to do this and the motivation. Think the NSA. If some terrorist had a PDA, the NSA would definitely want to crack any encryption on that device, and they would likely do it for even one encrypted file.

As for illegal groups, do you know of any that would buy a Cray to crack passwords? Criminals tend to go for the easy marks. There are much easier ways to get credit card numbers than stealing PDAs and cracking encryption.

Steve

Even with a Cray, how long would it take to break 128-bit encryption?
Longer than the universe has been in existence. Way longer.

Yes, it syncs the file through ActiveSync so any updates made on the desktop will show up on the PPC.

i'm just curious to know how you get the file to sync through the ActiveSync cause the PPC version doesn't create a link to sync data unless you have saved it in the "data" folder and are syncing your data files.

currently, i'm just using an SD card to house the data, PPC-exe, and PC-exe all in the same directory. both exe's will access the same database file in order to obtain my passwords. i use the SD card with a USB reader as my password vault......works pretty well..... :D

Flexwallet 2005 here :)

I looked at about 15 security/wallet products out there and finally settled for Tombo.
Reasons include:
* Tree structure - I found this to be the most flexible way to sort out all my information and find it fast
* Price - free, although I was happy to spend up to about $US 10-15 if I had to, so this was a bonus and not a criteria.
* Global search capability, including search inside encrypted notes. It's amazing how some wallet programs do not offer a search capability
* Desktop version included - I considered this a mandatory requirement
* synchronisation via activesync without having to install a separate conduit or use a database link
* very small footprint. No space wasted with fancy icons, graphics etc.
* I could mix both secure and non-secure stuff in the same tree hierarchy.
* I found the template or field structure associated with these wallet/security programs to inveitably be restrictive; I have about 200 entries in Tombo. Free-form text ended up being the easiest and fastest to key in and maintain. Cut/paste is good enough for all the things I need to do.

cheers
TDR

However....

128bit encryptoin is roughly 309,485,009,821,345,068,724,781,056 times stronger than 40 bit encryption, which can be cracked in a day or so with a modern PC. That means with todays computing power, it could take 8,479,041,364,968,358,047,254 centuries to crack. I am not really concerned if Moore's law continues, doubles or even quadruples in my life time. :mrgreen:
I agree again, but do wonder about one thing. If somebody doesn't use a password with 128-bits, is it still as secure? For example, if my password is xyz123abc, that's only 72 bits of information, so will be encryption be as strong? I doubt it.

Do I have to use a 16-character password to get close to 128-bit encryption? (I say "close to" because I don't know if you can put control characters in passwords in most eWallet applications, which would eliminate 32 of the 256 possible characters.)

Steve

Why use characters? Just use taps in a picture like in visKeeper: www.visKeeper.com

Thomas

You forgot another one - http://keepass.sourceforge.net/ - and it's open source (free)!!

It comes with both a desktop and PPC version - the desktop version doesn't need an install.

It has some importing capabilities, including CodeWallet and CSV files.
It can export to TXT, HTML, CSV and XML.

It even allows you to use a USB key drive as a "password" - I know, not useful for us PPC users, but still a cool feature.

It has other neat security features like when copying your password to the clipboard, it will erase the clipboard in X seconds, so someone can't come after you and paste to see your password.

The only thing keeping me from converting to it from CodeWallet is that you cannot customize the fields (I hope they implement something like what Flexwallet just released!).

Still, it is worth a look - especially for those folks who would rather use Excel than pay...

I saw that on The Screen Savers and kevinrose.com. Can't you use the PPC as the "key"?

I use the encryption in Adobe Acrobat for storing passwords. I only have to remember one, and I can use 40 bit or 128 bit encryption simply by printing from WORD.

AXE

Lol