IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / How good is the password protection on a Palm
Post #48,331
by bluke
8/6/02 7:02:08 AM
Reply
New How good is the password protection on a Palm
If I store some sensitive information (e.g. a credit card number) on my Palm V and password protect the entry, how secure is the information?
Post #48,337
by static
Picture of static
8/6/02 7:43:03 AM
Reply
New Rudimentary.
I haven't explored this personally, but it generally depends on the application interface. So it is possible to read "password protected" entries in the raw data file from a PC HotSync. However, newer versions of PalmOS are rumoured to enforce some aspects of data privacy.

If you want to store stuff like a credit card number, try [link|http://www.normsoft.com/cryptinfo/index.shtml|CryptInfo] for which I can thank one Karsten Self for. :-)

Wade.

"Ah. One of the difficult questions."
Post #48,339
by bluke
8/6/02 7:52:32 AM
Reply
New very insecure
Here are some links that I found
[link|http://www.wired.com/news/technology/0,1282,42198,00.html|Threat in the Hand of Your Palm ]
[link|http://www.maximumpda.com/articles/SecurityRevisited--PalmT.html| Security Revisited--Palm Tipsheet #18]
Post #48,340
by static
Picture of static
8/6/02 8:00:46 AM
Reply
New *grin*

"Ah. One of the difficult questions."
Post #60,846
by rickmoen
Picture of rickmoen
11/3/02 4:20:31 AM
Reply
New It depends
"bluke" wrote:

If I store some sensitive information (e.g. a credit card number) on my Palm V and password protect the entry, how secure is the information?

1. Store it where? In what software?
2. What's the threat model you're worried about?

There are PalmOS apps that store data in 3DES or Rijndahl-encrypted data stores, pulling it out only long enough to display an entry at a time. You can find several of those in my [link|http://linuxmafia.com/pub/palmos/|archive] of all known open-source applications for and about PalmOS.

However, that solves only one threat model, that of stealing a copy of the stored database of passwords, either by stealing the PalmOS device itself or by stealing your backups. There are other threat modes: People can "shoulder surf" (watch the screen over your shoulder, as you view it). They might talk you into installing a PalmOS app of theirs that combs through discarded temporary data for stack information, etc., or try to sneak it onto your machine over the IR or other ports, or via your Palm Desktop or equivalent "sync" files. And like that.

Questions about security that don't define the threat models of concern aren't likely to get you useful answers.

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
     How good is the password protection on a Palm - (bluke) - (4) - Aug. 6, 2002, 07:02:08 AM EDT
         Rudimentary. - (static) - (2) - Aug. 6, 2002, 07:43:03 AM EDT
             very insecure - (bluke) - (1) - Aug. 6, 2002, 07:52:32 AM EDT
                 *grin* -NT - (static) - Aug. 6, 2002, 08:00:46 AM EDT
         It depends - (rickmoen) - Nov. 3, 2002, 04:20:31 AM EST

Powered by a special Firewire direct connect!
38 ms