Home Tags IOS device

Tag: iOS device

iWork and iLife apps are now free for old and new...

No new Apple purchase required.

VU#342303: Pandora iOS app does not properly validate SSL certificates

The Pandora iOS app fails to properly validate SSL certificates provided by HTTPS connections,which may enable an attacker to conduct man-in-the-middle(MITM)attacks.

Huawei updates Mate 9 handsets with incomplete Alexa integration

An OTA update will start updating Mate 9 handsets to include Huawei's Alexa app.

iPhone users can now access Amazon’s Alexa on the go

And you don’t need an Echo, Tap, or Dot to do so.

Facebook tool cuts through React complexity

Facebook attempts to make it easier to get started with its React Native framework, launching the CRNA (Create React Native App) tool for building mobile apps with no build configuration.Introduced Monday, CRNA was co-developed by Facebook and Expo, formerly Exponent.

The tool, deemed stable for general use, was inspired by the design of Create React App for building React JavaScript apps sans build configuration.[ Get started: A developer’s guide to serverless computing. | Keep up with hot topics in programming with InfoWorld's App Dev Report newsletter. ]"Many developers struggle with installing and configuring React Native's current native build dependencies, especially for Android," said Adam Perry, Expo software engineer. "With Create React Native App, there's no need to use Xcode or Android Studio and you can develop for your iOS device using Linux or Windows." The tool works with the Expo open source mobile development tool, which builds atop React Native.

Expo loads and runs CRNA projects written in JavaScript without compiling native code.To read this article in full or to leave a comment, please click here

VU#247016: Flash Seats Mobile App for Android and iOS fails to...

Flash Seats Mobile App for Android,version 1.7.9 and earlier,and for iOS,version 1.9.51 and earlier,fails to properly validate SSL certificates provided by HTTPS connections,which may enable an attacker to conduct man-in-the-middle(MITM)attacks.

TrustPort Internet Security Sphere (2017)

I try my best to review the latest security suite and antivirus releases from all the security companies, but occasionally I miss one. The 2016 product line from TrustPort slipped past me. I hoped that with two years of innovation rather than the usual one, I would see remarkable improvements in TrustPort Internet Security Sphere, which fared poorly in my last review. Sadly, it didn't score any better than when I last reviewed it in 2015.

At $37.95 per year for three licenses (or $29.95 for a single license), TrustPort is significantly less expensive than most competing products. Bitdefender, Kaspersky, and Norton all cost just a little more than twice as much. On the other hand, those three are much more effective than TrustPort. For the same price, McAfee Internet Security lets you install protection on every Windows, Mac, Android, and iOS device in your household.

The main window for Trustport's antivirus features a single row of five square buttons, while the full suite has two rows of five, to accommodate its additional features. The six green buttons turn components like the real-time scanner and parental control on and off. Blue buttons invoke actions such as running a scan or checking for updates. It's a different arrangement of square buttons from the version I reviewed previously, and a different color scheme, but not a lot else has changed, appearance-wise.

Shared Antivirus Features

This suite's antivirus protection includes everything found in TrustPort Antivirus Sphere, plus an additional Web scanner component. Please read that review for full details of features common to both. I'll summarize here and focus on the suite's additional antivirus abilities.

Several high ratings from the independent testing labs marks a highly effective antivirus. Alas, only one of the labs that I follow includes TrustPort. In its RAP (Reactive And Proactive) test, Virus Bulletin scored TrustPort at 85.34 percent, a little above the average score. But that's not enough data for me to come up with an aggregate lab rating. On a scale of 10 possible points, Kaspersky Internet Security earned an impressive aggregate score of 9.8, while Norton managed 9.7 points.

In my own hands-on malware-blocking test, TrustPort detected 87 percent of the samples and earned 8.5 of 10 possible points. That's one of the lower scores among products I've tested with this sample set. Webroot SecureAnywhere Internet Security Plus, Comodo, G Data, and a few others detected every single sample. Webroot, Comodo, and PC Matic earned a perfect 10 points in this test.

My malicious URL blocking test uses very new malware-hosting URLs. Products get equal credit for blocking all access to the URL and for eliminating the malicious executable during download. Handicapped by lack of any Web-based protection, TrustPort's antivirus managed to wipe out 70 percent of the samples during download. When I tested the suite, its Web scanner blocked access to 21 percent of the URLs, and the real-time antivirus took care of another 55 percent. The total protection rate of 76 percent is still pretty low. Tested in the same way, Symantec Norton Security Deluxe blocked 98 percent of the samples.

Other Shared Features

The antivirus includes a feature called Anti-Exploit, but it's not about blocking attacks that exploit unpatched vulnerabilities, as you might expect. Rather, it looks for suspicious activity, things like programs attempting to manipulate other programs. In its default silent state, it doesn't do anything at all. When I took it out of silent mode and tested it with some valid programs, it found 40 percent of them to be suspicious. To get those programs working, I had to add them to the trusted list.

Next I switched from Anti-Exploit to an alternate tool called Application Inspector and tested again with a collection of valid programs. The Application Inspector flagged 30 percent of them for a different set of suspicious behaviors than Anti-Exploit did. You're better off just leaving this feature in its silent, do-nothing mode.

Clicking the Extra Applications button doesn't actually get you any extra applications, at least not in the standalone antivirus. Rather, it offers access to two different but equally complicated techniques for creating a bootable antivirus. You can use a bootable antivirus to clear up malware infestations that resist normal disinfection. However, the options offered by TrustPort are just too complex for the average user. The full security suite does offer extra applications, which I'll describe below.

Poor Phishing Protection

Phishing is the practice of creating fake versions of sensitive websites and hoping some poor chump takes the bait. Victim who log in to a fake PayPal site, for example, have just given away their credentials to their real PayPal account. These fraudulent sites get blacklisted and taken down quickly, but the fraudsters just reopen with a new fake site.

To test phishing protection, I use the newest phishing URLs I can find, preferably ones that have been reported as fraudulent but not yet analyzed and blacklisted. I try to visit each in a browser protected by the product under test, and in another browser protected by Norton, which has a long history of effective phishing detection. I also launch each URL in Chrome, Firefox, and Internet Explorer, relying on each browser's built-in fraud detection.

The first time TrustPort blocked anything, it popped up the standard notification it uses when it detects malware in a file. I resolved to track such events separately from times when the Web scanner denied all access the fraudulent site. But I didn't need to do that. Not once did I see a page replaced by the Web scanner's warning window. In addition, I found that even when TrustPort reported that it found phishing, the fraudulent page was completely accessible, and I had no trouble entering my (fake) credentials.

Very few products can match Norton's detection rate in this test. Of all recent products, ZoneAlarm tied Norton, while Webroot, Kaspersky, and Bitdefender Internet Security 2017 did a little better. Every other product lagged Norton's detection rate, some by a little, some by a lot.

TrustPort falls in the "by a lot" category. Its detection rate came in 66 percentage points behind Norton's. Chrome and Internet Explorer also beat TrustPort by a wide margin. This is a poor showing.

Old-School Firewall

TrustPort's firewall handled the basic task of fending off outside attack just as well as Windows Firewall. It put the system's ports in stealth mode, making them invisible from the outside, and fended off my port scans and other Web-based attacks. In a recent test, G Data Internet Security 2017 went even further, presenting a notification that it blocked a port scan attack.

Of course, merely doing as well as Windows Firewall isn't a huge accomplishment. Most personal firewalls, TrustPort included, also take control of how programs connect to the Internet and network. Early personal firewalls foisted decision-making on the poor, uninformed user. Should I allow netwhatever.exe to connect with the computer at IP address 123.123.123.123 over port 80? Who knows! Some products, ZoneAlarm among them, cut down on these popups by maintaining a huge database of known good programs and automatically configuring permissions for those.

Norton takes this concept to the next level. If a process isn't in the database, Norton doesn't ask the user what to do. Rather, it monitors that process extra-closely for any suspicious network activity. That's much better than relying on the untrained user for important security decisions.

TrustPort offers four levels of firewall protection, but if you read the text associated with each, it doesn't actually recommend any of them. The default level is called Use Firewall Rules, but the text states this is only recommended for experienced users. The description of the less-strict Enable Outgoing Connections level includes a warning that it can't defend against Trojans and spyware. And there's no point in the options that block or allow all network traffic. For testing, I stuck with the default, Use Firewall Rules.

In this mode, TrustPort is totally old-school. It did correctly pop up a query about my hand-coded browser's use of the network, and it managed to detect a couple leak test programs trying to evade its view. But it also popped up queries for numerous internal Windows components. A user who accepted the default action, blocking that process from Internet access now and forever, would wind up disabling parts of Windows.

Fixing a program blocked in error is also tough with this suite. You click Advanced Configuration, find the Firewall section, and open the Filter Definitions page. Scrolling past dozens and dozens of confusing default rules, you'll eventually find application-specific rules. You could jump in and edit the rule that's blocking the program, but you're better off just deleting the entry and choosing to allow access next time the firewall asks.

Protection against exploit attacks is often a firewall feature. I tested TrustPort's protection by hitting the test system with several dozen exploits generated by the CORE Impact penetration tool. Its Web protection component jumped in to block 30 percent of them, identifying all but one of the exploit attacks by name. Tested in the same way, G Data blocked 50 percent of the exploits. Norton has the best score in this test. It blocked 63 percent of them, all at the network level, before any portion of the exploit reached the test system.

I always investigate methods that a nefarious coder might use to disable firewall protection. TrustPort doesn't seem to store anything in the Registry, so there's no way I could flip the Off switch. I tried to kill its six processes using Task Manager, with no result beyond six Access Denied messages.

However, like G Data, F-Secure Internet Security, and a few others, TrustPort doesn't protect its essential Windows services. I set the Startup Type for all six to disabled and rebooted the system. On reboot, TrustPort didn't run at all. Comodo also didn't protect its services, but on reboot it reported the problem and offered to fix it automatically.

This firewall handles the same tasks that the built-in Windows Firewall does, which is no great feat. Its program control component pops up queries about Windows components; a hapless user who chooses the default block action may disable part of Windows. And the firewall isn't properly hardened against attack. It's not an impressive showing.

See How We Test Security Software

Extra Applications

Clicking the big Extra applications button on the main window lets you launch Portunes (rhymes with fortunes) and Skytale (rhymes with Italy). Portunes offers static storage for your passwords and other important data. Skytale encrypts messages. And neither is very useful.

Portunes stores passwords, credit cards, contacts, addresses, and more. You define what it calls a PIN to protect the collection. Last time I reviewed this product, it required a four-digit PIN; now you can enter a respectable master password. That's an improvement, albeit a minor one.

However, Portunes doesn't have any password management features other than including passwords among the things it stores. You can, if you wish, sync your data between multiple installations. To do so, you give Portunes access to your Dropbox account.

As for Skytale, it's easy enough to use. Type or paste in some text, click Encrypt, enter a password, and email or otherwise transmit the resulting gibberish to the recipient, sending the password separately. The catch is, the recipient must also be a TrustPort users. Quite a few encryption utilities don't have that kind of limitation. Some let you create a self-decrypting EXE file, while others offer a free decryption-only tool. Without any similar feature, Skytale isn't terribly useful.

Optimalize Your PC

"Optimalize" may not be precisely English, but it's what the button says. Clicking it launches TrustPort Optima, a simple tune-up utility that deletes temporary files, wipes out useless and erroneous Registry entries, and defragments your disk drives.

You start by clicking Analyze. On my test system, this step went quite quickly for the temporary files and Registry data, but it took quite a while to finish analyzing disk fragmentation. In a similar fashion, the actual cleanup of temp files and Registry went quickly, while defragmentation took quite a bit longer. You can click for a retro view that shows the defrag process as it happens.

Stripped-Down Antispam

If you rely on Web-based mail for your personal email account, you probably don't see much spam, as the major webmail providers filter it out. Likewise, your business email account probably gets filtered at the email server. Given that few people need a spam filter these days, and that my antispam testing was the most lengthy and laborious of all my tests, I dropped that hands-on test last year.

That's a good thing for TrustPort. The last time I reviewed this suite's spam filter, I found it to be quite dismal. It noticeably slowed the process of downloading email, and certain messages caused it to hang, cured only by quickly turning spam filtering off and on again. And its accuracy was terrible. We can hope that the designers have tuned this component since that time.

The spam filter supports Outlook, Outlook Express, Windows Mail, Thunderbird, and The Bat!, but not Windows Live Mail (the replacement for Outlook Express and Windows Mail). Even with these supported email clients, you still must define a message rule to put the spam in its own folder.

You can manually add email addresses or domains to the whitelist or blacklist. However, there's no option to automatically whitelist addresses to which you send mail, or import the address book to the whitelist, the way you can with ESET, Trend Micro Internet Security, and others.

Spam filtering in Check Point ZoneAlarm Extreme Security 2017 is extremely comprehensive and boasts pages and pages of configuration choices. I'm happier with a reduced set of choices, things users can actually understand. TrustPort's advanced spam filter settings are decidedly reduced—there are just four of them—but the average user will get no benefit from meddling with these.

Parental Lock

Not everyone has kids, and not every parent wants a parental control utility. For those who do want it, having parental control integrated with the security suite can be convenient. That is, if the parental control component does its job.

TrustPort's Parental Lock is a content filter, nothing more. If you turn it on by clicking its button on the main window, it immediately starts filtering access to websites in five categories: Violence, Porn, Warez, Hacking, and Spyware. You can tweak the configuration to also filter out seven more categories, among them Chat, Shopping, and Drugs.

By default, the filter applies to all users. It's possible to configure it one way for your teen and another way for your toddler, but it's far from easy. Doing so requires using the arcane Windows Select Users dialog. Guys, couldn't you just give Mom and Dad a simple list of user accounts?

In testing, I found that quite a few seriously raunchy sites got past the filter. It doesn't handle secure sites, so any HTTPS porn sites slipped right through. Logging in through a secure anonymizing proxy lifted any limitations by the content filter.

This so-called parental control system is worse than useless. If you want a suite that includes a full-functioning parental control system, look to Norton, Kaspersky, or ZoneAlarm.

More Drag Than Most

The days of resource-hogging security suites that bogged down performance are gone. Users wouldn't accept it, and security companies changed their ways. Few modern suites put a noticeable drag on performance. Even so, there's still a range, and in my hands-on testing TrustPort's performance drag came in on the high side.

Getting all the protective components of a security suite loaded can have an impact on the time it takes to boot up your PC. My boot time test waits for 10 seconds in a row with less than five percent CPU usage, defining that as the time the system is ready for use. Subtracting the start of the boot process, as reported by Windows, yields the boot time. I ran this test 20 times before installing TrustPort and 20 more times afterward, then compared the averages.

The result was so high that I tried again, this time watching the process closely. I found that at each reboot, the firewall was popping up queries about system processes. I manually rebooted the system over and over, responding to all the popups until they stopped coming. When I re-ran the test it still showed a 54 percent increase in boot time. That's one of the biggest impacts among current products. Fortunately, most of us don't reboot any more than we're forced to.

I also measure the suite's impact on simple file manipulation. One test times a script that moves and copies a mixed collection of files between drives. Averaging multiple runs with and without the suite, I found the script took 28 percent longer with TrustPort present. That's a little more than the current average of 23 percent. On the plus side, it didn't exhibit any measurable drag on another script that repeatedly zips and unzips those files.

The average of TrustPort's three performance scores is 27 percent, one of the largest among current products, but I didn't actively notice the test systems seeming slow. At the other end of the spectrum, Webroot had no measurable effect on any of the three tests. Norton averaged just five percent drag, which is quite good.

Look Elsewhere

Typically I'd conclude by summarizing the good and bad points of TrustPort Internet Security Sphere, but there's just not much I can say on the plus side. The independent labs don't rate it, and it fared poorly in our hands-on tests. Its firewall pops up warnings even for Windows internal processes, and it isn't defended against hacking. And the parental control system is worse than useless.

Forget about this suite. Look instead to one of our Editors' Choice security suite products. For a basic security suite, those are Bitdefender Internet Security and Kaspersky Internet Security.

Sub-Ratings:
Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.
Firewall:
Antivirus:
Performance:
Privacy:
Parental Control:

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

How—and why—you should use a VPN any time you hop on...

One of the most important skills any computer user should have is the ability to use a virtual private network (VPN) to protect their privacy.

A VPN is typically a paid service that keeps your web browsing secure and private over public Wi-Fi hotspots.
VPNs can also get past regional restrictions for video- and music-streaming sites and help you evade government censorship restrictions—though that last one is especially tricky. The best way to think of a VPN is as a secure tunnel between your PC and destinations you visit on the internet. Your PC connects to a VPN server, which can be located in the United States or a foreign country like the United Kingdom, France, Sweden, or Thailand. Your web traffic then passes back and forth through that server.

The end result: As far as most websites are concerned, you’re browsing from that server’s geographical location, not your computer’s location. We’ll get to the implications of a VPN’s location in a moment, but first, let’s get back to our secure tunnel example. Once you’re connected to the VPN and are “inside the tunnel,” it becomes very difficult for anyone else to spy on your web-browsing activity.

The only people who will know what you’re up to are you, the VPN provider (usually an HTTPS connection can mitigate this), and the website you’re visiting. A VPN is like a secure tunnel for a web traffic. When you’re on public Wi-Fi at an airport or café, that means hackers will have a harder time stealing your login credentials or redirecting your PC to a phony banking site. Your Internet service provider (ISP), or anyone else trying to spy on you, will also have a near impossible time figuring out which websites you’re visiting. On top of all that, you get the benefits of spoofing your location.
If you’re in Los Angeles, for example, and the VPN server is in the U.K., it will look to most websites that you’re browsing from there, not southern California. This is why many regionally restricted websites and online services such as BBC’s iPlayer or Sling TV can be fooled by a VPN.
I say “most” services because some, most notably Netflix, are fighting against VPN (ab)use to prevent people from getting access to, say, the American version of Netflix when they’re really in Australia. For the most part, however, if you’re visiting Belgium and connect to a U.S.
VPN server, you should get access to most American sites and services just as if you were sitting at a Starbucks in Chicago. What a VPN can’t do While VPNs are an important tool, they are far from foolproof. Let’s say you live in an oppressive country and want to evade censorship in order to access the unrestricted web.

A VPN would have limited use.
If you’re trying to evade government restrictions and access sites like Facebook and Twitter, a VPN might be useful.

Even then, you’d have to be somewhat dependent on the government’s willingness to look the other way. Anything more serious than that, such as mission-critical anonymity, is far more difficult to achieve—even with a VPN. Privacy against passive surveillance? No problem. Protection against an active and hostile government? Probably not. HideMyAss A VPN service provider such as HideMyAss can protect your privacy by ensuring your internet connection is encrypted. The problem with anonymity is there are so many issues to consider—most of which are beyond the scope of this article. Has the government surreptitiously installed malware on your PC in order to monitor your activity, for example? Does the VPN you want to use have any issues with data leakage or weak encryption that could expose your web browsing? How much information does your VPN provider log about your activity, and would that information be accessible to the government? Are you using an anonymous identity online on a PC that you never use in conjunction with your actual identity? Anonymity online is a very difficult goal to achieve.
If, however, you are trying to remain private from prying eyes or evade NSA-style bulk data collection as a matter of principle, a reputable VPN will probably be good enough. Beyond surveillance, a VPN also won’t do much to keep advertisers from tracking you online. Remember that the website you visit is aware of what you do on its site and that applies equally to advertisers serving ads on that site. To prevent online tracking by advertisers and websites you’ll still need browser add-ons like Ghostery, Privacy Badger, and HTTPS Everywhere. How to choose a VPN provider There was a time when using a VPN required users to know about the built-in VPN client for Windows or universal open-source solutions such as OpenVPN. Nowadays, however, nearly every VPN provider has their own one-click client that gets you up and running in seconds.

There are usually mobile apps as well to keep your Android or iOS device secure over public Wi-Fi. Of course that brings up another problem.
Since there are so many services to choose from, how can you tell which ones are worth using, and what are the criteria to judge them by? First, let’s get the big question out of the way.

The bad news for anyone used to free services is that it pays to pay when it comes to a VPN.

There are tons of free options from reputable companies, but these are usually a poor substitute for the paid options.

Free services usually allow a limited amount of bandwidth usage per month or offer a slower service.

Tunnel Bear, for example, offers just 500MB of free bandwidth per month, while CyberGhost offers a free service that is significantly slower than its paid service. CyberGhost Everybody loves free services; but when you want to use a VPN, the free version usually isn’t the best deal. Then there are the free VPNs that use an ad-supported model, which in my experience usually aren’t worth using at all. Plus, free VPNs are usually anything but; in lieu of payment they may be harvesting your data (in anonymized form of course) and selling it as “marketing insights” to advertisers. The good news is VPNs aren’t expensive. You can usually pay as little as $5 a month (billed annually or in blocks of several months) for VPN coverage. We won’t get into specific VPN service recommendations in this article; instead, here are some issues to consider when shopping around for a VPN provider. First, what kind of logging does your VPN provider do? In other words, what information do they keep about your VPN sessions and how long is it kept? Are they recording the IP addresses you use, the websites you visit, the amount of bandwidth used, or any other key details? All VPNs have to do some kind of logging, but there are VPNs that collect as little data as possible and others that aren’t so minimalist. On top of that, some services discard their logs in a matter of hours or days while other companies hold onto them for months at a time. How much privacy you expect from your VPN-based browsing will greatly influence how long you can stand having your provider maintain your activity logs—and what those logs contain. TunnelBear TunnelBear is one of the author’s favorite VPNs, but there are many good choices on the market. Second, what are the acceptable terms of use for your VPN provider? Thanks to the popularity of VPNs with torrent users, permissible activity on specific VPNs can vary.
Some companies disallow torrents completely, some are totally fine with them, while others won’t stop torrents but officially disallow them. We aren’t here to advise pirates, but anyone looking to use a VPN should understand what is and is not okay to do on their provider’s network. Finally, does the VPN provider offer their own application that you can download and install? Unless you’re a power user who wants to mess with OpenVPN, a customized VPN program is really the way to go.
It’s simple to use and doesn’t require any great technical knowledge or the need to adjust any significant settings. Using a VPN You’ve done your due diligence, checked out your VPN’s logging policies, and found a service with a great price and a customized application. Now, for the easy part: connecting to the VPN. Here’s a look at a few examples of VPN desktop applications. TunnelBear, which is currently my VPN of choice, has a very simple interface—if a little skeuomorphic. With Tunnel Bear, all you need to do is select the country you want to be virtually present in, click the dial to the “on” position, and wait for a connection-confirmation message. SaferVPN works similarly.

From the left-hand side you select the country you’d like to use—the more common choices such as the U.S., Germany, and the U.K. are at the top. Once that’s done, hit the big Connect button and wait once again for the confirmation message. SaferVPN With SaferVPN, all you need to do is choose the country you wish to have a virtual presence in. HMA Pro is a VPN I’ll be reviewing in the next few days.

This interface is slightly more complicated, but it’s far from difficult to understand.
If you want to select your desired virtual location click the Location mode tab, click on the location name, and then choose your preferred location from the list. Once that’s done click the slider button that says Disconnected. Once it flips to Connected,you’re ready to roll. There are numerous VPN services out there, and they all have different interfaces; but they are all similar enough that if you can successfully use one, you’ll be able to use the others. That’s all there is to using a VPN.

The hard part is figuring out which service to use. Once that’s done, connecting to a VPN for added privacy or to stream your favorite TV shows while abroad is just a click away. This story, "How—and why—you should use a VPN any time you hop on the internet" was originally published by TechHive.

VU#767208: ThreatMetrix SDK for iOS fails to validate SSL certificates

On the iOS platform,the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections,which may allow an attacker to perform a man-in-the-middle(MITM)attack.

VU#475907: ShoreTel Mobility Client mobile application does not verify SSL certificates

ShoreTel Mobility Client for iOS and Android,version 9.1.3.109 and earlier,fails to properly validate SSL certificates provided by HTTPS connections,which may enable an attacker to conduct man-in-the-middle(MITM)attacks.

Steganos Password Manager 18

Münich-based software publisher Steganos is all about privacy. The company offers encryption, VPN, secure deletion, and other privacy-related tools. Naturally, the lineup includes a password manager. Steganos Password Manager 18 doesn't have the high-end features that typify the very best password managers, though, and even its more mundane features didn't always work in testing.

Your one-time payment of $24.95 gets you licenses to install the application on up to five PCs. The licenses don't expire, but they also don't automatically update to the next version. You can also tie any number of iOS or Android devices to your account. This pricing is a bit hard to compare with the competition. RoboForm Desktop is also a one-time fee, $29.95 in this case, but it doesn't sync across multiple devices. Dashlane costs $39.99 per year and puts no limits on the number of PC, macOS, Android and iOS devices. Just one dollar per month lets you use LastPass Premium on all your devices. And of course, some competitors, such as LogMeOnce Password Management Suite Premium, are completely free.

Getting Started

When you go to download Steganos, you're likely to find that it comes with a trial of the full Steganos Privacy suite. This suite includes, among other things, a file shredder, several forms of encryption, and the Steganos Online Shield VPN. In this review, I focus strictly on the password manager.

Once you've installed the product, it opens to a big, empty window, with instructions on how to proceed. With Steganos, you can create multiple password databases, which it calls keychains. Multiple users on one PC could have their own keychains. But nothing happens until you select New from the File menu, to create your first keychain.

As with most password managers, Steganos starts you off with the creation of a master password. You can type it using a virtual keyboard, or create it using the unusual PicPass feature. I'll go into detail about those below. As you type in your password, Steganos fills in five lock icons, and displays a description of your password's strength. At one lock, it says, "This password can probably be guessed." If you make it to five locks, it declares, "This password cannot be identified by intelligence agencies." Interestingly, it also reports the number of word fragments found in the password.

There's also an option to store the master password on a USB device. This isn't precisely two-factor authentication, since the USB device replaces the master password for authentication. In addition, you can't sync with mobile devices if you choose USB authentication. True Key and LogMeOnce Password Management Suite Ultimate both allow authentication using multiple other factors, without the need for a master password. In fact, passwordless login is the default for LogMeOnce.

Steganos installs the necessary browser extension in Internet Explorer automatically, and there's a menu option to install it in Chrome. Firefox is also supported, but in testing I could not get the extension to load. Even after reinstallation, Firefox reported the extension as corrupt. An Edge extension is in the works, pending approval by Microsoft. True Key by Intel Security is the only competitor I've encountered that has a working extension for Microsoft Edge.

Dashlane, Sticky Password Premium, and most password managers that let you sync your passwords across multiple devices handle syncing internally. Not Steganos. If you want to sync between devices, you must configure it to store your keychain in your existing cloud storage services. It supports Dropbox, Google Drive, and OneDrive, as well as the Europe-centric Magenta Cloud. Setting up the connection is simple enough, and of course your data is encrypted before it's sent to the cloud. Still, this might be a good time to toughen up the password on your cloud storage.

There is one more option for syncing among devices, but it's not something most users would want to mess with. If you choose File export, Steganos saves your data in a portable, shareable form. Importing that data on another PC isn't so tough, but getting it onto an Android or iOS device is a pain.

Password Capture and Replay

Like almost all password managers, Steganos notices when you log in to a secure site and offers to save your credentials. Some products slide in a notification at the top of the browser window, some create a popup within the browser, and others use a totally separate popup. Steganos is among the last group, and I found that its popup consistently got stuck behind the browser. You can give the new entry a friendly name at this time, but you can't assign it to a category.

If you're switching to a new password manager, the ability to import passwords from the product you're leaving behind is a big plus. LastPass can import from more than 30 competitors, and KeePass from nearly 40. Steganos imports from just two, KeePass 2.34 and 1Password; to me these seem like odd choices.

Dashlane, LastPass, Password Boss Premium, and True Key don't just import passwords stored insecurely in your browsers. They also delete those passwords from the browser, and turn off browser-based password capture. Alas, Steganos doesn't import from browsers at all.

When you revisit a secure site, the default behavior is for Steganos to automatically fill in the saved credentials. You can turn off this behavior and manually call on the browser extension when you want it to fill in the data. As is typical, if you have multiple sets of credentials saved, it offers a menu.

While most websites use standard login screens, easily understood by password managers, some of them march to a different drummer. If you run into a login that Steganos doesn't capture automatically, you can do it manually. Just sign out, reenter your credentials, and (in Chrome) choose "Save form to keychain" from the toolbar button's menu. In testing, I found that in IE the equivalent Save Form button did not work. LastPass, Sticky Password, and RoboForm Everywhere 7 have a similar ability to capture passwords on demand.

Many password managers turn your data into a menu of saved websites. Just click the toolbar button and choose a site to both navigate there and log in. With Steganos, you open the main application window and launch from there.

The Steganos application must be running any time you want to use its browser extensions. That's a bit different from many competing products. I kept accidentally shutting it down, when all I really wanted to do was get it out of the way. The correct way to handle that situation is to minimize the application down to its tiny desktop widget. From the widget, you can restore the main window, or drag/drop the username and password for the selected login.

Password Generator

When you're editing one of your saved password entries, you can invoke the built-in password generator to provide a strong new password. However, it's up to you to go to the site and put your new password in place. Steganos doesn't automatically offer the password generator when you're setting up a new online account, either.

The password generator defaults to creating 16-character passwords, which is good. But it only uses uppercase letters, lowercase letters, and digits, by default. I advise adding special characters to the mix. Interestingly, Steganos seeds its random number generator before each password generation event by using your own mouse movements.

Organizing Passwords

As noted, you can assign a friendly name at the time Steganos captures a set of login credentials. That name is what appears in the main window's password list. When you click an item in the list, its details appear at right. You can click Edit to change those details—all except the friendly name. To change that name, you must right-click it in the list.

To start, all your passwords simply appear directly below the root of the tree. If you prefer a more organized approach, you can create any number of categories, which become branches in the tree display. You can even create nested categories, something that few password managers allow. RoboForm, Sticky Password, and LastPass 4.0 Premium are among the few that permit multilevel categories.

I assumed that organizing my saved logins would be a simple matter of dragging them in to the desired category, the way you do with LastPass. It's not. Instead, you right-click the entry and select its new location in the tree.

Portable Edition

With LastPass, Dashlane 4, LogMeOnce, and other Web-centric password managers, you can log into your password database from any computer. Steganos requires installation of its app on a PC, and doesn't make your cloud-connected database available without it.

However, if you anticipate needing to use the app on an unfamiliar computer, you can create a portable edition on any USB device. Just select the keychain, select the device, and you're done. Any future changes you make in the main app don't appear in the portable edition, so you should recreate the portable edition frequently. In addition, all the data in the portable edition is read-only.

PicPass and Virtual Keyboard

Some people have no trouble remembering a strong password based on a favorite song or quote. Others are more visual, and for those people Steganos offers PicPass. When you choose to define or redefine your master password using PicPass, you start with a grid of 36 photos or 36 symbols. You proceed to click on as many of the pictures as you think you can remember, and then repeat that same pattern of picture-clicks.

However, there's a catch. The 36 pictures correspond to the 10 digits and 26 uppercase letters, and your fancy pattern of clicks gets translated into a mundane password like 1UB3OX. Steganos doesn't hide this fact; it even offers to display the generated password. Yes, you can make the PicPass process tougher by having Steganos scramble the picture locations, but doing so just makes it harder for you to get the right sequence. It doesn't make the password itself more resistant to brute-force cracking.

Limited Web Form Filling

Steganos lets you store a very limited set of personal data, little more than name, address, email, phone, and birthdate. There's no option to store multiple profiles such as you get with LastPass, Dashlane, and others. And there's certainly no ability to create multiple instances of data fields the way you can in RoboForm. You can enter data for any number of bank accounts and credit cards, and sync these between your devices, but the app does not use these to fill Web forms.

In testing, I found that the Web form-filling feature worked correctly in Chrome, but didn't work in Internet Explorer. In some cases, it immediately filled personal data into the form's fields. In other cases, I had to select "Fill form now" from the toolbar button's menu.

Mobile Options

If you want to use Steganos for logging into secure sites on your mobile devices, you must configure your account to use one of its cloud storage options. Install the free Steganos Mobile Privacy from the Google Play store or Apple App Store, connect it with your cloud storage, and enter your master password. You're ready to go.

I installed the app on a Nexus 9, just to get a feel for it. The PC edition's tree display is absent, so you have to either dig down to the entry you want or use the handy search box. Tapping an entry opens the corresponding website in the app's internal browser and logs you in. There's no integration with other browsers installed on the device.

Like the portable edition, the mobile edition is read-only. If you want to add or edit password entries, credit card data, or anything else, you must do it on your PC. But if all you want is quick mobile access to your secure websites, it does the job.

You Can Do Better

It's nice to see a password manager that charges a one-time fee rather than a per-year subscription, but there are disadvantages, too. That yearly subscription pays other vendors for things like server space to hold your encrypted data. With Steganos Password Manager 18, you supply that storage yourself, in the form of an account with one of the big cloud storage providers. Steganos also lacks the advanced features found in the very best password managers. In testing, even the simpler features it does contain didn't always work perfectly.

If the low, one-time price really resonated with you, you're probably better off getting one of our top free password managers instead. For those willing to pay a bit, we've identified several password managers worthy of the title Editors' Choice. LastPass 4.0 Premium costs just a dollar a month, and it has tons of features. LogMeOnce Password Management Suite Ultimate 5.2 beats all the competition feature-wise, with some security elements not found in any competitor. Dashlane 4 goes for streamlined ease of use, with advanced features including an actionable password strength report, secure password sharing, and account inheritance.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Apple IOS 10.2 and macOS 10.12.2 Debut Fixing Security Flaws

Apple is out with what is likely its' final security patch update of 2016, debuting the new macOS 10.2.2 operating system for desktops and the IOS 10.2 release for mobile devices. Apple is updating both its desktop macOS Sierra and mobile IOS operating...