VisorCentral.com (http://discussion.visorcentral.com/vcforum/index.php)
- How To / Troubleshooting (http://discussion.visorcentral.com/vcforum/forumdisplay.php?forumid=2)
-- built in security or other addons ? (http://discussion.visorcentral.com/vcforum/showthread.php?threadid=2344)

Hi,

Just got my Visor Deluxe. Wondering if the built-in security feature is good enough or I should get one of those encryption programs ? And if I really should opt for one of those addon, which one would people recommend ? Well, I would just like to store things like password, PIN etc.

Thanks in advance.

If you use the built-in security alone, it isn't likely that someone will have the opportunity to get to your passwords if your Visor gets stolen. A more reasonable concern is the vulnerability of the data on the computer you hotsync to. If you sync at a computer that you do not have complete control over--particularly in an office environment--or even if your computer at home gets stolen, someone may have the opportunity to view the hotsynced files with a hex editor, and the "hidden" records belonging to the default apps will no longer be so hidden. So just in case, I think it's a good idea to use encryption software for your passwords.

Some encryption apps are intended to work as memopads and are thus quite versatile. Others are made specifically for account passwords and come with predefined fields. I don't use the former, but I do use the latter. A good one, IMO, is STRIP. You can get a version with 128-bit, IDEA encryption. It's also FREE! Another one I've tried, Multiaccounts, has a slightly better interface, but has a proprietary encryption scheme that is not as strong as IDEA, and it's shareware.

Some have conduits and desktop applications to make data entry easier. One is TopSecret. It's closer to the memopad type, and comes with 128-bit encryption (TINY, I think). It's also shareware.

[This message has been edited by ragamuffinn (edited 02-09-2000).]

And keep in mind that the built in security does absolutely nothing if you fail to set the security app to "hide private" each and every time you turn your Visor off.

I'm using a hack called Secure Hack which automatically hides private docs at power off.

I agree, Strip is great and you can't beat the price. But I ended up going with CryptInfo because I liked the interface better. I create new accounts a lot and just found CryptInfo easier to use. I also liked the fact that I could import my already existing 50 accounts into it. Maybe Strip can do this now? CryptInfo is not cheap at $12.95, but to me it was worth the registration price.

Whatever you do, don't rely on the Palm's security to store sensitive account information.

You might also look at SecureMemo from Certicom. It's a free replacement for the MemoPad, but it will encrypt any memo you like.

------------------
Jay

I have previously posted my heretical views re: Palm security ( http://discussion.visorcentral.com/...TML/000298.html), and I still haven't seen anything that convinces me that a Visor is a good place for sensitive information.

Even if I used encryption software, I would not presume that a misplaced or stolen Visor's data was secure. However, if you keep sensitive information on a desktop machine, that is indeed already your weakest link (especialy if it is running Win9x).

Don't forget, checking and savings accounts do not have theft/fraud protection like that of a credit card account. If the access informaiton to your checking and savings accounts is compromised, you could lose everything in them.

Furthermore, for the purposes that you are proposing, I'm down on encryption software (desktop or Palm) because a single strong password is going to be harder for you to remember than the number of PINs that most people need to know.

That said, there is always the need to secure non-sensitive private information in a manner that keeps honest folk honest. The built-in security, with something like Padlock Plus (a Hack), is fine for this purpose.

[This message has been edited by yucca (edited 02-09-2000).]

Thank you all for the suggestion and information. I kept my sensitive information on a PC currently on a PGP encrypted drive(triple DES) and those hotsync data will also be on this drive only. What I don't know is how vulnerable Palm OS is say for people to get physical access to my visor and load some hack/apps to grab those information stored in it. Judging from the response, it seems that the built-in security is very much like what one have on Windows 95/98/NT which is a form of access control but the underlying content is in clear text format. If that is the case, I believe I really need some kind of encryption program to make sure the data itself is protected.

yucca,

You're certainly not alone in your views. But I feel that while not perfect, encrypting sensitive data will at least slow down unauthorized account access until I have time to change my account passwords. Of course there's no guarantee but I feel it's a worthwhile risk. Also, could you please explain what you meant in the statement below? Thanks.

quote:

---

Originally posted by yucca:
Furthermore, for the purposes that you
are proposing, I'm down on encryption software (desktop or Palm) because a single strong password is going to be harder for you to remember than the number of PINs that most people need to know.

---

yucca,

You're certainly not alone in your views. But I feel that while not perfect, encrypting sensitive data will at least slow down unauthorized account access until I have time to change my account passwords. Of course there's no guarantee but I feel it's a worthwhile risk. Also, could you please explain what you meant in the statement below? Thanks.

quote:

---

Originally posted by yucca:
Furthermore, for the purposes that you
are proposing, I'm down on encryption software (desktop or Palm) because a single strong password is going to be harder for you to remember than the number of PINs that most people need to know.

---

Passwords are the weakest link in most security systems because people make them too easy to guess. If an attacker can guess your password or crack it with a dictionary program (or other cracking utility), then even a trillion bit encryption key won't protect your data.

There are many sources of information on this topic. One that I have on hand is:
http://consult.cern.ch/writeup/security/security_3.html

There is a science to determining the minimum length of your password (or pass phrase), so that it matches the level of encryption you are using (sorry - don't have any references available at the moment). Choosing a good pass phrase is a skill that most folks are just not willing to cultivate; never mind taking the effort to memorize the result - - and it was this last observation that was the inspiration for my comment that aroused your curiosity.

I'm guessing that most folks have two or three PINs to remember, for a total of 8 or 12 characters. A good passphrase for a 128 bit key should be more that 16 characters in length (if memory serves). See the problem?

BTW, your approach makes sense. Unfortunately, I'm afraid that too many folks are blindly placing their trust in software, when alittle exercise of wetware is the better solution . . .

[This message has been edited by yucca (edited 02-10-2000).]