Sticky password security audit

Please post here questions and problems which doesn´t fit to any other category.

Sticky password security audit

Postby TriadX1 » Mon Nov 01, 2010 9:24 pm

Now that beta is over for 5.0, I was just thinking about a project that I am working on that deals with user security. We had an incident were a developer innocently inserted a few lines of code while troubleshooting an exception so that it emailed the form data that a user entered to his email address. Well, like any large app, he forgot to remove the code and so he was getting data in his email after the release. Since this was not intended, we quickly had to release a new build without that code. No user was aware that it was doing that. I know from a developer standpoint it can be difficult to think of every possible scenario of how to fully secure an application, and one little tiny peice of code can make a "secure application" the mother of all insecure apps. So, since that time, once we are ready to release a new build, I like to use an recognized independent security expert to review the code, whom can certify that it is secure. This makes the users feel a lot better, as well as myself…

Since I am an end user and am "putting all my eggs in one basket" by putting my faith in Sticky Password's security, I was just curious if you guys have any type of formal independent security audit of Sticky Password code? As a developer, I always question that any application of this type is truly secure, and I know I always feel safer knowing that every measure has been taken to insure my data is safe...

TriadX1
TriadX1
New user
 
Posts: 6
Joined: Thu Apr 01, 2010 11:16 pm

Re: Sticky password security audit

Postby Angel » Mon Nov 01, 2010 10:30 pm

Just an opinion and I don't work for SP however, I wouldn't feel any more or less comfortable about "putting my eggs in one basket" if there was a security audit. If I was a developer, I would be more worried about putting revenue into making my product better than worrying about the mistakes of one or two designers. Regardless of what you do or what you implement... there will be the issue of human error or the issue of malicious behavior.

If you want your data to be super secure.. you better design and code the application yourself and oh yeah.. get a body guard. See this comic by xkcd to see why.
http://xkcd.com/538/

At some point, you have to put your trust into companies. We do that every day when we step into our car to drive to work. We do it every day with our time we put in at our workplaces that they will pay us. We do it ever day when we get our money deposited into a bank. We do it when we pay our bills to the insurance companies. We trust that companies are doing the right thing left and right. This company should be no different. If a company seems sketchy... you shouldn't do business with them. I have seen little reason to fear SP with the exception of that one bug that I have that is HUGE and outstanding (Hint Hint developers). If they ever do something to break my trust, you can rest assured... I'd be one of the first to bail on this ship considering how sensitive the information I trust with them is.

<rant off>
Angel
New user
 
Posts: 23
Joined: Fri Dec 04, 2009 7:45 pm

Re: Sticky password security audit

Postby petr.pinkas » Tue Nov 02, 2010 10:16 am

Hi TriadX1,

thanks for sharing this issue with us, it is very interesting and seems like it is typical for big companies for sure and mistakes always happen, so yes, it is necessary to audit the code from time to time. We know that, since our team worked for an enterprise company for years.

I can assure you, that we test our product all the time during the development process in a very detail and the audit is performed with every big change of the code, so I think it is not possible that it will ever happen to us. We do black-box testing, white-box testing and all the classic processes you can expect and which are standard nowadays for IT development.

You can absolutely "put all your eggs in one basket", in the meaning of putting it into our safe database.

I hope you feel safer now and all others who will read this post...
Petr Pinkas
Sticky Password Team

ImageImageImageImageImage
petr.pinkas
Site Admin
 
Posts: 617
Joined: Fri Apr 24, 2009 10:22 am
Location: Czech Republic

Re: Sticky password security audit

Postby petr.pinkas » Tue Nov 02, 2010 10:33 am

Angel wrote:At some point, you have to put your trust into companies. We do that every day when we step into our car to drive to work. We do it every day with our time we put in at our workplaces that they will pay us. We do it ever day when we get our money deposited into a bank. We do it when we pay our bills to the insurance companies. We trust that companies are doing the right thing left and right.
<rant off>


Yes Angel, you are right at this point, we trust all at this point, but sometimes you want to be assured even if it can be a lie, but you feel safe. Those situations like "Is it safe to jump out of this rock for a bungee jumping? Is the rope safe enough?" and they will say "Of course it is". Is that enough so you will trust them? Kind of :)

At our point and in this scenario I can just say for our company, that we're doing our best and follow all security rules to make the product as safe as it is possible.
Petr Pinkas
Sticky Password Team

ImageImageImageImageImage
petr.pinkas
Site Admin
 
Posts: 617
Joined: Fri Apr 24, 2009 10:22 am
Location: Czech Republic

Re: Sticky password security audit

Postby TriadX1 » Sat Dec 04, 2010 12:39 am

I hope I did not offend anyone with my original post, or as a matter of fact, this post. It is not my intention. I do trust the folks at Lamantine. I have used the Sticky Password product for years and have even done beta testing for the product. I continue to use Sticky Password for storing over 200 passwords from everything from bank accounts to blogs etc.

But, anymore with all the "leaks" and un-trusty applications and companies (like Facebook), I know a few users who would not "trust" a company like Lamantine with their most sensitive data and passwords. If the product had a "security seal" by a third party, trusted security firm with each build, it would go a long way to getting the trust of these users, and may help Lamantine sell a lot more copies. Sticky Password has earned my trust, and I would like to get others more paranoid than I to trust it as well.

Here is a real concern from a friend of mine whom, when I tried to recommend Sticky Password, suggested: "If I were a hacker and wanted to get easy access to a LOT of peoples most sensitive data like passwords, bank accounts, credit cards etc, I cannot think of a better way to get that data than to create a password database app, let it run legitimately for a period of time, and when it has gained a few hundred thousand users have it 'phone home' and dump the users secrets back to a mother server. It would be the ultimate phishing scenerio, without the need for the phishing part."

To my disappointment, he ended up using an open source solution and as a developer himself, he could then verify that the code did not have a "phone home" function... I could not debate him further on his concern. I really like this app, and do trust the folks at Sticky Password, and would like to recommend it to my "paranoid" friends, but it is hard to argue their concerns. I am just trying to be a good user and as a problem solver, make suggestions based on my observations. A security audit by a trusted, independent 3rd party is the only solution I could come up with for this scenario...

TriadX1
TriadX1
New user
 
Posts: 6
Joined: Thu Apr 01, 2010 11:16 pm

Re: Sticky password security audit

Postby #samurai# » Sat Dec 04, 2010 1:22 am

:? How can the hacker have access to the sticky p. database when it's on your own PC encrypted and locked down, even if someone manages to still the database, it would take so much time & effort to decrypt it. Not worth to bother unless he knows your master password which I'm sure u keep it in your head not on paper. The scenario u described reminds me on a different password manager, lastpass! :mrgreen:
#samurai#
New user
 
Posts: 18
Joined: Thu Dec 02, 2010 2:34 am

Re: Sticky password security audit

Postby petr.pinkas » Sat Dec 04, 2010 11:07 am

Well to take it to another level as you have mentioned Lastpass - how you can trust this kind of product when everything is online on their servers and when you're offline and not connected to the Internet you do not have your passwords. They are gone. What if they will shut down, bancrupt? Your passwords are gone forever.

However again to defend ourselves if you have some "paranoid" friends - OK, if someone will install some phishing application on your PC, he can gather all data coming out of your PC over the internet. Which in our case is only license information :) How can he get your passwords from that kind of information?

Of course, if someone will create some "Sticky Password like" application, you can get in troubles, but this installer will never be possible to download on our site AND the most important thing - will never be signed by VeriSign signature. So, in general, if you will download the installer from our website, you will never in troubles. We have our webiste secured by several protocols and mechaninsms and it is on our own server where nobody can access.

I hope we're clear over here and you and your paranoid friends will be ok :)
Petr Pinkas
Sticky Password Team

ImageImageImageImageImage
petr.pinkas
Site Admin
 
Posts: 617
Joined: Fri Apr 24, 2009 10:22 am
Location: Czech Republic


Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron