SplashID to forgo desktop sync for the cloud 60
Wed, 18 Nov 2009 4:55 pm EST 
Right now there’s no good way to sync or backup your data from SplashID on webOS, which is otherwise a perfectly good app. But without any way to backup your data, you’re left in a lurch if it ever happens that you have to reset or replace your phone. The good folks at SplashData recognize that and instead of pursuing the desktop sync function that has typified SplashID on every other platform.
Instead they’re going after the solution that typifies webOS: the cloud. SplashData will in the coming months release a cloud-enabled beta SplashID. The app will sync your passwords and other SplashID data to SplashID Live, the ecosystem’s online repository. Additionally, you can expect that in the near future the cost of SplashID will rise, likely to their standard $9.99. SplashData is currently asking just $4.99 for the webOS version as they didn’t feel comfortable charging the full price for an app with no desktop sync functionality.
Thanks to Jack for the tip!
60 Comments
I wish they would give options for both versions. Always a little scary to store your information online.
Is the online sync portion going to cost the same monthly / yearly subscription that SplashID Live costs? If so, not interested.
I also still much prefer eWallet which I had on my WM phone to SplashID (though SplashID is workable enough for now). SplashID is just too limited in the number of fields.
What are they thinking? I am NOT going to sync all of my passwords, however encrypted, into an online password storage system. This is tantamount to saying to hackers "Come and get it!".
I've loved the desktop/handheld sync for SplashID for years now. If they only offer cloud syncing it's time to change to another password storage program.
Have to agree with you.
Have you checked their security page?
https://www.splashid.com/account/security
As long as you have a good password, it'd be pretty difficult for anyone to get your data from it.
I have checked their security page, and it does seem like they have taken a very reasonable approach to security, based on the state of the art.
However, new holes are discovered continuously in what were thought rock solid security systems, for example the latest ssl man-in-the middle attack. So even if SplashID have done everything possible under the state of the art, it is still likely that at some point, a security attack is found. At that point I do not want my data to be on a server I do not control in the cloud.
Please note I am not saying that SplashID are doing anything wrong. It's just that for *my* passwords I do not want them synchronised with anything outside *my* control.
If I can sync with my Mac in wifi range (over ssl) I am fine.
So you trust that nobody can hack into your wireless network?
It's not just state of the art, but Blowfish has been around since the 90s and still hasn't been cracked yet. The default encryption for Blowfish is 128-bit, and this goes above and beyond that with 256-bit encryption, and then on top of that uses AES encryption as well.
Like I said, without picking a simple password that can be brute-forced, your data is as safe as is humanly possible, in my opinion.
Personally though, I'm happy with it being a standalone application, I don't need any sync. If it's not a monthly subscription I'd probably sync it to their server, but it's not a big deal to me. But that's probably due to the information I store in it. I store only stuff like CC information, health insurance, passport, etc, so it's not a big deal if I lose the data, I can just re-enter it from the physical cards, and I definitely don't need to access it on the PC.
It's safer still if it's on a non-connected PC of my choosing. This is another case where the user should have a choice, instead of being forced into the cloud whether they like it or not. Today's vendors seem to have forgotten they exist to meet user's requirements, not the other way around.
I DO need to access the data from a PC. I keep my multitude of different passwords stored this way, and it will be a royal pain if I have to pull my Pre out of my pocket every time I want to look up a password. If I can access the cloud database easily from the PC, that's acceptable, but not ideal.
To repeat: software should be flexible enough to work the way the user wants it to work, not force the user to change their process to conform to the software. That's something I learned in my first software job, 30 odd years ago, but that every new generation of software developers seems to have to learn all over again.
I looked at it and although I like what it said, I must say that I'm a little taken back that they don't have some sort of third-party certification! The company I work for does credit report processing and I know all to well what kind of security is required - by law - because of it. Besides, I'm not about to store my personal information online and "just hope" that nothing happens to it in transmission or on their server!
I agree with you as well!!!
3 insteads in as many lines?
I would definitely have to get more info on how they protect this information....credit cards, passwords, just toooo valuable to not understand how it is truly protected.
It seems that a company that deals with security products and wants to save it to the cloud hasn't understand their business.
I *DON'T* want all of my passwords in a cloud anywhere! If they're going to be providing online syncing/backup of the SplashID data, they darn well better let me do it on my own protected server!
*sigh* Yeah, can't go there. I can see that syncing password info to the cloud *might* be secure enough but to rule out allowing it to be stored on a device I control just won't work for me.
Apart from the excellent and (IMHO) correct assessment of the risks of storing passwords in the clouds, another reason for desktop sync solutions is that frequently you need to access those passwords on your mobile device and on your desktop.
In fact, as I think about it, I use KeyRing on my Pre and store exactly 2 passwords in it. The passwords used to get into my various desktops. My work requires me to change my password every 60 days. I generate random passwords and memorize them. For a few days after I've done that, it's really easy to forget what the password is, so I store just those on my mobile device.
The rest of my passwords go into KeePass - http://keepass.info/. KeePass allows me to open an entry and autotype it into login screens. This is ridiculously useful. And frankly w/out a desktop component, I'm simply not going to use SplashID. IMHO the desktop component is the main purpose. The mobile component needs to store many fewer passwords than the desktop does. And I can manage the sync manually.
Actually, when I think about my usage of SplashID you are right. I use the desktop component more than the handheld. It's nice to have the passwords on the handheld, but essential to have them on the desktop. If necessary I will manage the sync manually rather than go via a cloud.
This is how I use it as well. Primary use is on the desktop, and I occasionally export that to my Pre. I actually bought the desktop version after I tried the Pre version, but now I've found just how useful it is to have that on my PC.
This perfectly reflects my attitude about this. I want to use a desktop password keeper as well. I am not doing this in case my device blows up and I get a new one. i want it because I need these same passwords even more often from my desktop. The Pre version is for when I am away from my own computer and need these same passwords.
I created an account on precentral just to say that I also agree with some of the previous post. Having an _option_ to backup to the "cloud" is fine and dandy but I for one would rather backup/sync this data to my PC. I hope they are listening.
Derek, do you ever proofread your articles? It's kind of lame to see spelling and grammar errors consistently in your posts. First paragraph, last sentence is a sentence fragment. Replace "recognize that instead of" with "recognize that, but are not".
It's not that serious. He's writing an article for a tech site, not articulating a thesis. Seriously, people are taking the grammer part too seriously. As long as he's constantly bringing us new updates or news, it's ok. Ohh, just make sure you write in English, Derek.
I got you Derek ;) Keep it up.
How about taking the spelling part seriously? It's spelled 'grammar', not 'grammer'. Sorry, I just couldn't resist :-)
Actually, many readers will question the technical accuracy of any publication that does not proofread its articles. A definite pattern of errors in grammar, spelling, and sentence structure will certainly erode reader confidence. Anyone paid to produce articles for a publication is a professional, and thus should take professional pride in their work and should always proof their work. I am sure many people have been fired for less.
Excuses such as, "it is just a blog", or "it is just a technical site, not a thesis or a master work of prose", is nothing less than BS. If you do not care about what you produce, why should anyone else?
What did you say? You lost me at "proofread." Sounds boring. "it is just a blog", or "it is just a technical site, not a thesis or a master work of prose". That part I understand. Why should we care. Talk about the Prrrrrrrrrrrrreeeeeeeeeeeeeeeeeee.
I've used Splash ID for many years. I use the desktop all the time. I open it when I've forgotten a password and paste that password into a dialog box on my computer. I paste parts of e-mail messages into the notes field. I paste screen data from the relevant site into the notes field. When I'm setting up a new web account on my computer I enter the relevant info using the desktop. Then I sync. Using my Centro for that would be much more time consuming. For these matters alone the desktop is very useful.
And, agreeing with others, the notion that I'd sync my passwords with some server somewhere is ludicrous. I'd have no backup and not enough security.
I can buy a discounted Pre in December and I'm thinking of just keeping my Centro until the desktop version comes out.
It's official, I HATE Splash Data; bad enough I have to manually import portions of my desktop passwords into my Pre and then have no way to get them out for months and months, now I have to use a cloud? Just say: Norton, Nero, Chrysler, IBM - All kinds of dysfunctional companies who really don't care to listen to their "former" customers. What a waste - if there was one application which needs to work, it would be my password software (and no, Classic is not an option - what a POS that turned out to be).
Who knows, I figure another 6 months and I might even start to have the functionality I had in my 755p. My wife finally gave up and traded her Pre for a Blackberry Tour - unbelievable, but I'm actually a little jealous. If I'm really honest with myself, the Pre just sucks as a phone.
Your password database is not protected by the SSL transport level security that would connect your phone to SplashData's servers. SplashData is doing everyone a disservice by not adequately describing what does protect your data: it is encrypted with your passphrase. It remains encrypted with your passphrase whether it resides on your device or anywhere else.
Your SplashID data is encrypted using the 256-bit Blowfish algorithm. The password is also encrypted within the database. If someone were to get a hold of your datafile, they would be unable to decrypt it without knowing the password.
This text from the SplashID security feel-good page is probably totally incorrect in one way; there is no good reason to encrypt your passphrase itself and store that in the database. There is a good reason to store a perturbation of your passphrase, of course, which is what a normal authentication system does do. A secure cryptographic hash of some "salt" (used to prevent dictionary attacks) followed by your passphrase is stored and can only be used for one purpose: to validate that you know the passphrase. I would like to see some clarification as to why that data in the database exists at all -- is it inherently using the same passphrase to validate your login to SplashID Live? The "right" way to do this part is to do challenge-response authentication based upon your passphrase but never actually storing the passphrase itself in the system.
SplashData, who I previously bought SplashID from, will not be getting a webOS SplashID purchase from me until there is SOME kind of backup solution. I'd be satisfied with a cloud-based solution, but someone with adequate technical knowledge needs to rewrite their page that is supposed to assuage security concerns. It does not describe their system with enough detail that one can say whether they should have confidence in it or not.
Brian,
it sounds like you should be working for SplashID...I don't quite understand everything you wrote; but having used online storage for a lot of important documents etc in the past, it does seem like a very viable solution.
I'm interested to see what the final product from Splash will be. Since I'm never at one computer very long, I definitely need a mobile info manager, and with strong encryption, full search capabilities (which the current SplashID beta doesn't have) and the ability to export to a desktop back-up if I want it (which I think is available with SplashData), then I don't think Splash would have any competition.
I think all of you guys are missing the point. It's not that they don't *want* to provide a desktop sync. It's that with the current WebOS SDK, they *can't*.
If you're correct, and you probably are, that's another reason the Pre fails. Palm makes the mistake of assuming they know more about what the customer wants than the customer. Instead of building software that can be tailored to the customers way of working, they force the customer to conform to the software. That's bad design, and bad practice. And only one of the reasons I still haven't bought a Pre (or an iPhone).
Welcome to the brave new world, where corporate America knows what's best for you.
I just want the ability to sync, period. I don't care if it's to the cloud or to the desktop.
passwords are one thing i won't easily submit to storing in mass in the cloud. for the most part i just memorize all of them. i'd store them on my desktop but i don't want them all in the cloud.
If I can drag and drop files via a USB connection (media files) they could at least give us the same ability via an export option from the device.
Once again, a company is not really paying attention to how the customer is using the product. I don't want yellow stickies with passwords all over my workstation and at home, so I store them in software, but I use a weak two character password, because it's very easy and fast to type all day long. It's not a relatively large security risk, because the hardware is typically in my possession and I don't have Obama's private phone number. But I'm not willing to use a weak password to store these numbers traveling through the internet and a cloud.
I agree an export function on the Pre would go a long way for me. Then its up to me to keep the files in sync.
Importing encrypted VIDs would help too. As it is now you can only import an unencrypted one.
I have long used SplashID and many other Splash apps on my Palm handhelds, but this is the end of my using SplashID. I used the beta version, but will look to other sources for keeping my passwords. Even though this means manually copying each and every entry, by hand, out of SplashID.
I'm not going to subscribe to an annual service for keeping track of passwords and other information. Also, I don't want my passwords, credit card numbers, etc, out in the cloud, period, no matter how well protected.
I simply don't believe that the SDK allows no options whatsoever for sync, not even an "export to a file on the USB partition." Maybe it's that bad, but I find that difficult to believe.
I *will* admit that one advantage for me to cloud-syncing is that I don't have to worry about the fact that SplashData is unlikely to provide a desktop client for linux, my preferred desktop OS.
There are times, and after reading this is one of them, that I am tempted to turn in the Pre and dust off my pea green Centro.
I'm using Classic and bluetooth to sync PalmOS Splashdata and Ultrasoft Money at present. I don't like running Classic that much, but it serves as a decent work around until, hopefully, these guys can get it right.
Key programs such as these often still have no real counterpart on WebOS. The news today from SplashData just confirms that this is a problem for more than just a few of us.
I thought we'd be getting more substance at this stage with the Pre. Frustrating.
And there will be no counterparts developed with the current SDK. It's a damn shame.
This app isnt worth it even for free till there is some kind of method or backing up the data. I tried this app in beta and lost all the splash data with the replacement :( Its worthless till it backup somewhere.
Long time Splash ID User. I keep my Treo 755p in my other pocket JUST to still use Splash ID as I waited for a Sync solution to appear. I agree with the above poster that in its current form, it is regretably not even worth "Free" and deleted it to make room for some real tip calculator apps I had my eye on for a while. Alas... I would pay the current Amazon Pixie Price of $24.99 for a version of Splash ID on the Pre that had JUST the same functionality of the version I carry in my other pocket on my Treo. As a power user of Splash ID, I would also NEVER submit my data to the cloud and also use the desktop version daily, so desktop sync would be very very nice.... I assume they want to sync, but it is just too hard or not possible with the WebOS software... these are things I do not understand nor need to nor care to.. I would just like to pave some room on my rediculously small Pre app cubbyhole, pay my ten cups of coffee to Splash Data instead of Starbucks for the week and move on.... How dissapointing....
Longtime Palm user, got my first one back in '97, a Palm Pilot Professional, had a Palm Pilot IIIc, a Tungsten and then a 750P, (still a great phone). And now a Pre.
Had Splash ID for many years, still do.
A little history for the Splash ID guys.
Back in the late '80s, when the Splash guys were still in diapers, Sharp started selling these "electronic organizers". People loved them.
The one fatal flaw - no backup.
If the batteries went dead, you lost everything.
And the batteries went dead ALOT.
People stopped using them because they "LOST TRUST IN THE PRODUCT".
Fast foward 1996. The first Palm Pilot is introduced. It not only came with a backup but with something truly amazing, Hot Sync! You could actually but information into your Win95 computer and Sync it to your handheld device and take it with you! WOW! I was hooked!
I believe Splash and to some extent Palm has lost the core meaning of their success. Having the ability to sync information to one's personal computer is what made Palm,
it's what made Splash Data.
Right now the Splash ID for webOS is nothing more than the 1980's version of a Sharp Zarus. (I think that's what they were called).
I don't trust it.
I will not trust it backing up my passwords to "the cloud"
And finaly, having my passwords available on the desktop is huge! I had to look up my password to log into Precentral
just now and lucky for me I've got SplashID Desktop v3.05.
But how long is THAT gonna last?
I agree that syncing data like this to the cloud is a bad idea. Like SplashID for Palm, another password manager - Roboform used the same password database on the desktop as on the Palm device. Now that SplashID has made their decision, I'd like to see Roboform step up and give us what we need. I've created a poll that we can use as a petition to Roboform. It's in the WebOS apps and software forum. You can also find it searching on my user name, flamand.
I have used Chapura's TurboPasswords for years. The desktop syncs with my Palm OS device flawlessly. The best part, however, is that the desktop has an IE toolbar that you click on to get drop down lists of websites that will call the webpage and enter the username and password. If you change the Username or password for the page it asks if you want to update the record. When you load a webpage that has username and password in TP, it will enter it automatically or if yhou have multiple accounts, offer a list of usernames to choose from. I have used TP on my Treo primarily to sync between my home and work computers and to look up passwords, email account info configuration info and as an equipment inventory manager.
Chapura says they plan to port TurboPasswords to WebOS and I assume they will use the sync manager they developed for Pocketmirror, which works great. Now that we have decent web browser I hope they can figure out an autoload feature.
SERIOUSLY PEOPLE!!!!
You are giving them a hard time about NOT syncing to the cloud, but if Palm actually did back up this data, where would it go? Yes, the Cloud.
Cloud=Cloud no matter how you look at it. It's a very vague term though.
Right now it goes to internal storage. There is AN easy way to back up internal storage, so why not use that instead of complain about Cloud Storage?
You miss the point. People want it to sync with their desktops, not the cloud, whether Palm's or Splash's. And backup isn't the same as sync. People want the ability to access and update the data on their desktops or laptops, not just back it up.
SERIOUSLY, SAMMY!!! Try to read and comprehend what people have written.
I have absolutely NO INTEREST in paying an annual fee to backup my own data. If SplashData refuses to provide a local backup solution, I have no doubt someone else will. To me it seems SplashData does not really care about retaining any customers that have moved to the webOS platform.
What happens if the company goes bust/gets bored/taken over/Denial of service attack?
Suddenly your software syncs with nothing.
I've no problem with companies offering cloud services but they should be as well as local backups not instead of.
What happens if they go out of business? They take their servers and put them in the dumpster behind the building. Homeless people will be hacking your passwords. Like those medical records that were thrown out when the clinic shut down.
Banks and US Military servers have been hacked!
Im not putting any of my personal info on anyones server. Oh, you mean Palm already does this? Oh and syncing with Google uploads information too? Maybe I would put my personal business on someones server. I
This thread:
http://forums.precentral.net/palm-pre/203201-palm-profile-backup-failure...
is a fine example of why people don't trust the cloud. Palm's backup still fails to work consistently for all people, all the time. Google has had failures, too. Sure, my own hard disk could fail, but the liklihood both my handheld and desktop fail simultaneously seems slim. And I do backup my hard disk. But people have lost data relying on Palm's cloud backup option.
I also use the desktop version more than everything else. As a matter of fact, I use it daily. The question from me is, will SD promote syncing the desktop app to the cloud. If that were the case would it not make sense that both desktop and Pre could sync to the same data?
Like the majority of the people commenting, I too have bought a large amounts of aluminum foil to protect my passwords from getting hacked out of the cloud.
I've actually come up with an excellent way for password protection all of you might be interested in. I close my eyes when I'm creating passwords so that then even I don't know what my password is. This way no one, not even myself can hack into my account. It's safer that way.
[/sarcastic silliness]
Why not just use your Mashed life? After using Mashed Life's open-sourced tool do dump all my credentials from my IE & Firefox, and importing my URLs from Delicious automatically, I imported them into Mashed Life. All took me less than 5 minutes. I was totally blown away by that!
And the adoption of Umikey is a big plus, making using Mashed Life event easier and safer. I no longer need to even type the URL! And I can securely log in from an insecure PC, on an insecure network.
Also secure PC login is a big bonus.
Just my personal 2 cents to share with the community
holy effin' cow who's the blithering idiot of a product manager at splashID who can't figure out how big of a screw up it'd be to not offer something off the cloud!? You're a greedy sonofabitch and it's going to totally screw you.
Sorry, not gonna use it. I have SplashID Desktop for my Mac, and that's the canonical repository for my passwords. Every month or so I export to a .VID file and copy it over to the Pre in USB mode, then import it in SplashID on the Pre. It's cumbersome but it works. I'm certainly not going to store my passwords on someone else's server, no matter how "secure" they claim it to be, and pay for the privilege. No thanks.
??????????? ?????????????? ? ?????, ????????