Review: SplashID 35
As your mother always told you, using one password for all of your online accounts is a bad idea. Keeping multiple passwords for all of your various accounts is one of the best bets for online security, but remembering all of them can be challenge in and of itself. One solution is to keep them all written down and with you in your wallet or written on sticky notes and posted in various places, but that’s probably a bad idea too. For some, the only way to make managing that plethora of passwords and other pertinent account info work is if they can keep all of them strongly encrypted with one robust password that you can remember and on a device you have with you nearly all the time. Enter SplashID ($7.99 In the App Catalog), an application that allows you to keep all of your passwords in one, (hopefully) secure spot.
Installation and setup
Installation is straightforward: hit the App Catalog, search for SplashID, tap download, and you’re ready to go. From the initial launch screen, you’re presented with a short tutorial on how to use the app. To add an account, there’s a persistent “+” button in the main account scene that allows for the creation of an account. The familiar side-swipe gesture deletes accounts in this view, and one welcome addition here would be a modal notification asking for confirmation that you’d actually like to delete an account. While I didn’t accidently delete one during my testing, I can see how one could easily swipe away the 5 minutes of data entry some of the accounts require – it’s every bit as easy to delete accounts here as it is email in the email client.
Once in the account creation scene, the steps necessary to proceed aren’t immediately apparent: the requisite account type modifiers reside in drop-down lists that live in the upper left and right of the screen and are marked as “unfiled”, which isn’t a huge deal after you’ve learned what lives behind those non-descript buttons, but it represents a lack of UI polish that is thematic throughout the app. This theme continues to filters that can be applied in the account list view; two buttons residing in the top of the scene produce drop-down menus that allow you to sort by the account type (such as “insurance” or “bank”) that are set while creating an account, but the back gesture doesn’t turn off the filter, instead you have to manually go back to the account picker and reset it to “all”.
Also on the setup front, I did have program crash on me while adding accounts, albeit on very rare occasions. After typing “save” I would be greeted with a blank screen, with the back gesture only minimizing the application and the main drop-down menu being unresponsive.
Features and Use
Outside of those UI annoyances, SplashID is generally solid. The main scene lists of all of your accounts which can be searched by typing letters on the keyboard, and as mentioned above, you can sort the list by account type. One of the features you’ll immediately notice is how program will automatically lock after a user selectable amount of time (with the default being 1 minute), prompting you to re-enter your password – handy if you’re using a computer in a public place and put your phone down for a few moments without locking the screen. To make things more secure when you’re using the app in public spots, you can also toggle a password and PIN mask while inside of an account to obscure sensitive information but look at other details.
Now, I’m not a cryptography expert nor am I well versed in the intricacies of webOS security, so I can’t speak to how secure your data will actually be if your phone falls into the hands of the unscrupulous, but SplashID developer SplashData’s website states that the company employs 256-bit BlowFish encryption to secure your data – a number of bits and the name of an encryption algorithm that sound good enough to allow me to sleep soundly at night. And if ever you get cold feet, there’s always the option to securely erase all of the data in the program via the menu.
Topping everything off is the ability to securely backup and restore your data so you can perform periodic backups so in the event that your phone does get lost, stolen, or damaged, you don’t have to start from scratch and reenter all of your account info. So far as I know, SplashID is the only program in this category in the App Catalog to employ this feature.
Summary
Sure, Splash ID could use some UI polish (that, combined with the occasional but alarming performance oddities bring the rating down 1 and ½ stars), but it ultimately does a great job at what it was designed to be –a keeper of account information to keep the forgetful amongst us safer in the online world by enabling us to use a unique, complex password for each and every account we possess. Combine that with the unique backup and restore functionality, and you have an app that’s hard to pass up.
35 Comments
Nice!!
I remember when this was 30 bucks on Palm OS!!
Now just bring us Splash Photo!
I recommend this for more than just web passwords. I keep my driver's license #, car insurance info, vehicle info, health insurance #s, credit card #s and lots of other sensitive info. there are times I don't have my wallet on me but I wanna buy something from precentral.net store. I can browse the web on phone, use multitasking to pull up splash id, and then copy/paste credit card info and order online. I just got a TV on line this way. very nice.
I don't work for splash, nor am I paid by them, but I loved this on PalmOS and it definitely makes my life easier on WebOS. I am a little nervous about security, but I still sleep ok
Yea I wanted SplashMoney as well Checkbook by GlithTech Science has identically functionality as SM expect the recurring transaction (work in progress) Just FYI.
Regarding copy/paste: while they do support copy/paste, a record must be opened for edit in order to copy the field. The iPhone version has a copy button, IIRC.
I have used SplashID for many years on the PalmOS with the desktop application. While the WebOS version is pretty good, SplashData needs to step up to the plate and implement the desktop sync capability that they've said they're working on for many months.
I really loved SplashMoney on PalmOS. I'd love to see that for webOS, but I've given up waiting and moved on to something else. It was just too cluncky on Classic.
Have been a SplashID user and supporter for many years. Have had this App since day one of WebOS (one of the 1st apps in the catalog as a beta). I was able to easily import my ID database from my Desktop version (that was linked to WinMo). However, if they're going to charge $8 for this App, I challenge to SplashID to make this app work with the Desktop Client package that I purchased for $30. The fact that I (as a long-time loyal and paying customer) have to manually export and import my files to keep sync between PC and WebOS is ludicrous! Additionally, if they do come out with a Desktop sync client that is different than the one that I (and many others) already paid for, they had better plan to offer us an EXTREMELY low cost upgrade (actually... "Cross-Grade"). If not, this long time customer/user will be taking his business elsewhere!
Bottom Line... SplashID is a great, solid product. If you don't require desktop syncing, then no question it's a great solution, if you're willing to spend the $8. A seamless desktop sync solution will make this a top notch 5-star package... until then 3.5 stars from me!
Well Robert.... I have one major issue regarding your review...
Your comments on backup restore // did you try it? Did it succeed? Sounds like your recommendation is based on speculation. I'm not saying it doesn't work... I am saying , next time... be thorough.
Secondly, you say "As far as I know"... SplashId is the only app that does backup/restores. If you had done a little research you would have found other secure password storage apps also provide backup/restore... Namely JVault.. for one.
Do your homework. Just read SplashId's history in Precentrals forums... It doesn't have much of a positive track record.
On the Treo I loved SplashId.. On the WEBOS I did some homework and I found JVault to be a better deal. You can backup/restore... but you can also purchase (separately) a desktop companion you can backup/restore from (just like SplahID back in the PalmOS days). I bought the app + desktop companion... I can restore by syncing, to my PC or storing/restoring data via email... I've tested and it works flawlessly!
JVault is a much better deal.
Is this integrated into the browser or do I have to copy and paste?
Avoid the webOS version of SplashID like the plague! I was an avid user of the PalmOS version since it was first introduced. It synced well with the Palm desktop and had a great user interface. While the webOS version has a similar interface, there's no sync option and the only way to backup and restore data is by copying and pasting encoded data that is sent by email. I sent the encoded backup data to myself from SplashID and thought I was in good hands until my phone died and I tried to restore the data to my new phone. SplashID kept giving me errors every time I tried to import my data and I lost all my password information.
I'm now using jVault and although the user interface leaves a lot to be desired, at least it works.
just for the record. Blowfish isn't all that great by itself. And 256 bit encryption is a pretty basic bit-level for modern encryption. I'm no security expert either, but I don't think I'd trust my sensitive info to anything less than a 512bit hybrid algorithm. Oh, and it'll have to have a random-input feature. Sorry, but this app might keep your kids out of your credit card #s, but a novice hacker would have all your numbers and paswords pretty quick.
Careful there. Blowfish is a symmetric cypher. 256-bit encryption is plenty for symmetric algorithms. 128-bit keys are probably sufficient for personal data for the next several years. NSA has authorized 256-bit AES (another symmetric cypher) for Top Secret materials.
You are probably thinking about asymmetric algorithms which require much larger keys for equivalent security. Your bank probably uses 1024-bit encryption in asymmetric applications. I personally use 2048-bit keys for asymmetric cyphers when I can.
LastPass is what I use... works on WebOS and integrates with all my laptops, PC's etc...
I just read a white paper about all these passwords we have to have. The conclusion was that a few secure base passwords used for everything (with minor modifications for each use as needed) is more secure that then 30 passwords that we have written down or have autosaved somewhere. It also concluded that the more you make a person change the passwords, the simpler they get.
The fact the most passwords are easily cracked with common data or reset with info from your facebook acount you have open to the world is the bigger security threat than making passwords 20 characters long with all 4 character types.
I can't find the link at this time, but it was an interesting read for someone that works on network security for a living.
They finally added actual backup and restoration functionality?! That was the only reason I completely refused to purchase this app even though I use the shareware version and used the PalmOS version previously -- I thought it was completely ridiculous that I had to do a manual system backup [using rsync] so that I would be able to restore SplashID data later. One person said it doesn't work for them, though. Does anyone have successful experience with the backup and restore funtionality?
The app KeyRing is a free GPL application available through preware that I use and it works great.
If I'm not mistaken, it has very nearly all the same functionality.
http://forums.precentral.net/homebrew-apps/201944-keyring-easy-password-...
I am waiting for syncing ability. I have PasswordPlus which I used for years on PalmOS. But since it is a Dataviz product and they don't even maintain the Palm version anymore we all know the likelihood of getting a WebOS version.
There are a couple webOS password keepers. First one that does syncing gets my bucks. Meanwhile PasswordPlus works in Classic.
I also use LastPass. A good password manager needs to be available on all your platforms (desktop OS, browsers, phone) and without having to manually sync. What good is it if you can't sign into that website you just registered for yesterday because you forgot to sync last night? LastPass stores it in the cloud accessible from every desktop/mobile OS and browser (including webOS of course). Plus it's only $12/year to get the mobile access, and that includes premium desktop access. I think it's the way to go, it works great for me.
Wow. Another 3 and a half stars on a Precentral review. Either every accessory and software manufacturer is always shooting on the same level or Precentral needs to spend a bit more time being thoughtful and honest with their ratings. As they are now, it seems useless.
@troyferrell, your right, I was thinking blowfish was asymmetric. That said, it is still one of the weaker symmetric algorithms. The original author even recommends using the newer twofish instead. Personally, I like to use an AES+Twofish cypher. May be overkill, but I'm ok with that.
I still stand by what I said about needing random input for your key generation though. Any crypto app that relies on the not-so-random number generator computers use is asking to be broken into.
I've been using SplashID since launch day and I too am disappointed we don't have a desktop/cloud sync option yet, at this point I'm doing double entry into the phone and my desktop app.
I can say the Save/Restore application from webOS Internals works great for backing up your SlashID data. I had to webOS doctor my Pre and was able to restore my SlashID data to the app after reinstalling it (I actually got off the beta version at that point too and was relieved that Splash had not changed the db).
I've thought about using something like Last Pass but my issue there is the data is in the cloud, so if I don't have an internet connection I can't get to my usernames/passwords, right? I like to have the data stored and encrypted locally so I always have access to it from that device. If it can sync between all those devices, so much the better.
I gotta say, as much as I love webOS, I don't see how an app like this could POSSIBLY ever be secure... anyone that has ever installed a patch with Preware knows how ridiculously simple it is to patch a webOS application... what you may not realize is that it's also ridiculously simple to grab the source for any app on your device.
So, how hard would it be to write a quick patch that allows you to enter gibberish for the master password, have it be accepted as correct, and then the progrm shows all the others in plain text? I'd be willing to bet it'd take less than an hour for any competent programmer out there.
Might it protect reasonably well against the non-technical person? Probably yes. Is that good enough to protect the password for your online bank account system? You decide :)
I'll also, in fairness, say that I could be wrong. Maybe the developer of this app has figured out something more robust than I give them credit for. Indeed, it sounds like the actual protection is more than sufficient to protect the information... but only in its encrypted form! And if it's trivially easy to get at it in the unencrypted form, what's the point? As always, getting around encryption is by far easier than cracking encryption, that's been true for years. I'd be shocked and utterly impressed if this app, and all others like it on webOS, weren't vulnerable in the exact same way.
fzammetti,
Be careful not to spread FUD about something you don't understand, and your comments about how easy it would be to supply a fake master pwd *show* you don't understand how an encrypted data store works.
The data isn't just inaccessible without the correct password, it's indecipherable. It can't be unencrypted without your password.
Sorry man - the way encryption works, if you don't have the original key you can't decode the data. Breaking into the app without it would be like... thinking just because you can open the book means you can read it, even though its written in Sanskrit.
Not that SplashID doesn't have issues... I'll write about that in a minute...
"So far as I know, SplashID is the only program in this category in the App Catalog to employ this feature."
If jVault has backup and restore functionality, then SplashID certainly isn't the only app with such features in the same category.
My DataBank was the first database app released with backup/restore functionality during the time when lost Palm data was a big news issue. While a number of users complained and commented about Splash ID lacking data backup/restore features. My DataBank allows you to e-mail the data in a proprietary format with an online tool that lets you convert the information into CSV format.
How about some love for SecuStore? It's homebrew (+1) it looks more intuitive than SplashID (+1) it doesn't have a desktop solution (yet)(-1) though it does have backup/restore. Best of all, for now, it's free! Would love to see Precentral do a review video like this one, I think you'd see the difference. For all the former SplashID users out there, you can easily import a .csv file to SecuStore to get started. No, I'm not paid by the dev.
As for password managers/security, take a look at grc.com for a quick spin-up. Subscribe to the SecurityNow podcast (using drPodder, of course) if you want to know more. I've seen a similar article saying that the time wasted changing passwords and doing updates isn't financially equal to the annual losses incurred from password theft/hacking... but still, is it worth it? I'm intrigued by cloud solutions like LastPass but, at least to me, a little physical security (i.e. you have to nab my phone AND crack the resident database) is better than a database hanging out in the cloud. If any independent security experts have reviewed LastPass, would love to see what they found.
I second this motion. SecuStore beats SplashID hands down! I've tested the backup and restore for SecuStore and it works. Also, it just got support from the Save/Restore homebrew app. People, try SecuStore.
I'm dying for a KeePass build for WebOS. I was an eWallet user on PalmOS and it synced beautifully to the desktop. Alas, I haven't seen indication that either of these companies are working on a WebOS version?
I can't imagine that everyone's life doesn't require some password management. It should if you are careful at all. Anyway, my job requires it too so I'm to post my desire for a good password vault that syncs to my desktop. SecuStore is the best so far.
Also, I don't put my password vault in the cloud so LastPass isn't an option.
I'm more of a free-form notes type person, so I ended-up making my own app called CryptoNotes.
On the Palm web feed: http://developer.palm.com/appredirect/?packageid=com.hbconcepts.cryptono...
Or the web page for the app: http://www.hbconcepts.net/
I too have used SplashID with previous Palm products and I enjoyed the synchronization with my desktop. I would have expected more from this version which I have been using for 9 months. Things that are missing include:
Easy cut-and-paste of fields
Desktop client synchronization through USB drive
Optional cloud synchronization for multiple device synchronization and backup.
When SplashID has these capabilities, then I will considering purchasing the application. Until then I will look for an application that has these features.
I too use JVault, and find it to be a simple program to use, and it syncs with my desktop. In the future, it would be nice to have a product review compare the product with other similar products. From what I read in the SplashID review, it sounds like it is not nearly as good as JVault.
I also use Jvault, mainly because I liked the integration with a desk top version. However, my understanding is that it does not offer true syncing--you just overwrite either what is on the desktop or the device. (ie if both databases have changed since the last "sync", you will lose the change in one of them). So when I make changes/additions, on my pre, I put them into a new category, then sync to a different database on the desktop, copy/paste from that into the "default" desktop database, and then "sync" back onto the pre.
I'm hoping Jvault will make an improvement to make it truly sync.
I've been a long-time user of SplashID, from many years ago on palm OS. The desktop app is decent (although the fact that it only password-entries for Internet Explorer means I don't use that feature), and the fact that it *can* sync to my Pre is a good thing. I know its manual, but that's better than nothing.
*However*, buyer beware! Splash has been *very* slow to release any kind of functional updates for SplashID - lately they seem busier with their iPad version. I believe they purchased Iambic recently - if they come out with a WebOS version of Agendus, I'll be their fans again.
In the meantime, they've been promising some kind of online or automated to-your-PC sync solution for many months now with no results. Worst of all, a search of data on the Pre only searches one field, and doesn't look for substrings! For instance: you have multiple logins on the same machine. On the desktop, the first field for a Server Login entry is "machine". So, you enter your machine "blahblah", then user in its field, etc. Once you've synced to the Pre, every single entry for that machine (one per user) shows in the list as "blahblah". And you can't search by userid, since that field isn't searched. You have to open. each. entry. one. at. a. time. until. you. find. the. right. one.
The lack of comprehensive search on top of the lame attempt at a backup strategy means SplashID isn't worth it yet.
If we're really lucky, its just because they're off working hard on Agendus.
jVault was the first on WebOS to work directly with a desktop version using USB. And it sounds like it's still the best. It's disarmingly simple to use, can use various "template" field names or just "free form", and has the same high level of encryption. The desktop version can instantly copy the database to, or from, the Pre over USB, and you can do so with multiple PC's. Like so many WebOS aps there's no true "sync", though they say they're working on it. The desktop version is FREE. My first record at the top of jVault is called "DATE OF LAST CHANGE", which I keep updated so I won't forget which copy is the "newest". You can back it up instantly on the Palm, and on the desktop. There's even an option to back it up as an encrypted email, though I haven't tried it and don't see a need to. I keep all my PC software keys, business info, and tons of personal data in it like I did in Turbo Passwords on my PalmOS Treo 700p. jVault can import or export using ".csv".
I used Chapura Turbo Passwords for many years on WebOS. It never failed, was more (too) sophisticated, and did a true "sync" to multiple desktops along with everything else in PalmOS. Chapura kept saying they would write a version for WebOS, but never did. I kept my 700p and didn't get a Pre for way too many months while waiting for Chapura until finally jVault came out. Turbo Passwords for PalmOS appears to work perfectly under CLASSIC! But since Chapura won't support it there's no way to sync, copy, import, or export. If there were I might STILL be using it under CLASSIC.
I have to agree that jVault seems to be a better program. And, the developer is amazingly responsive - he and I exchanged several emails (and a beta version of the desktop app) via email over the course of yesterday alone.
However, the desktop app is *not* free. You can get a free 7 day trial, after which it costs $7.99.
I'm curious about LastPass - a lot of people have said they worry because it stores data in the cloud, but it apparently only stores your *encrypted* data in the cloud. Having all passwords on all devices (and browser autofill) would be awfully nice...
In the meantime, jVault was able to import my old SplashID database, so I'm pretty happy for now.
I used Roboform for many years, but when I saw LastPass on WebOS, and Mozilla and Chrome, (and it works cross platform with Windows, MacOS, and Linux), I switched.
WOW!
I'm surprised no one has mentioned Secret! for WebOS.... It's also available for the iphone, android and Blackberry.
Yes it Does sync to your Desktop. http://linkesoft.com
ChasPalm