iPhone 6 review: The little things make it a real star

The iPhone 6 is the first major redesign of the Apple iPhone since 2010's iPhone 4. The design is new, with the aluminum side band gone and the glass and aluminum halves directly welded for a sleeker, less-industrial look. The iPhone 6 is also bigger, a long-desired improvement in screen real estate. That's normal change in the smartphone world.

The real question is whether it's as great as the mania suggests.

After spending three days with the 4.7-inch iPhone 6, I do love the iPhone 6. While I really like the larger screen — my iPhone 4 was too small — it's the little things that make the bigger iPhone 6 a real star.

The iPhone 6's hardware is (mostly) excellent

I really like the iPhone 6 as a device.

First, the iPhone 6 is simply a pleasure to hold. The wraparound aluminum is almost velvety, and the glass front melds seamlessly into it. The screen is bright and colorful, without crossing the line into garish as some Android phones do (Galaxy S5, I'm talking to you). There are a few other nice-feeling smartphones, like the HTC One M8, but the iPhone 6 is a cut above.

Under the hood are Apple's new chips: the A8 processor and M8 motion coprocessor, as well as a souped-up graphics subsystem. The iPhone 6 has as much power as some PCs, and you can feel the better performance.

The screen is brilliant and bright, moreso than Apple's previous iPhones, whose images were crisp and true but a bit subdued. In the iPhone 6, Apple has increased brightness without making the colors artificially garish, in that unnatural, pumped-up "Miami Vice" style that Samsung favors. It works great for navigation while driving with the new Siri hands-free mode (yes, Apple Maps is a lot better now).

Apple says the iPhone 6's viewing angle is wider -- well, yes and no. It's a tad wider than my iPhone 4's viewing angle, but not meaningfully more. What's different: At an extreme viewing angle, the iPhone 6 retains most of its brightness and color accuracy, whereas older iPhones dimmed and the colors shifted darker at wide viewing angles.

The iPhone 6's cameras have been upgraded. They're basically as good as SLRs and camcorders, but that's par for the course in high-end smartphones. One interesting change Apple made is adding support for high-FPS, slo-mo video capture, a trick sure to be popular. In my tests, it worked great in natural light but not in artificial lighting, such as a room illuminated by halogen or LEDs. (I don't have standard incandescent or fluorescent lighting to test under.) At least in LED- and halogen-lit spaces, I got a very unpleasant strobe effect when shooting in slo-mo.

The other big internal change is support for NFC (near-field communications) that will enable contactless mobile payments in the forthcoming Apple Pay service. Apple Pay doesn't work yet — an iOS 8 update planned for October is required, as are Apple Pay-compatible sales terminals in stores — so I could not test it. NFC may have other uses in the future, but for now Apple is tying it to Apple Pay to ensure security.

The iPhone 6 is not perfect, of course. There's one hardware change I'm not a huge fan of, and one change I wish Apple had made:

• Apple moved the Sleep/Wake switch from the top of the iPhone to the right side, so you can reach it with your thumb when holding the device. But it means you can't quickly dismiss an incoming call during a meeting by double-pressing the button in your shirt pocket — you have to pull the phone out of your pocket to dismiss the call. I've found no alternative quick-dismiss method on the iPhone 6 for those of us who carry our phones in our shirt pockets. Apple should add a timed option for Do No Disturb so that we can silence the phone in a meeting but not leave it silenced through forgetting to turn it back on, as is now required.
• Apple did not move the audio jack to the top of the phone, where it's more convenient when carrying your iPhone in your shirt pocket (and where the iPhone 4 series had it, though not the iPhone 5 series). To listen to music while on the train or walking down the street, you have to put the iPhone in your pocket upside down to connect your earbuds — which exposes the speaker and Lightning openings to the outside elements. OK, the goal is to avoid the lint in the bottom of our pockets -- still.

Also, the sleeker new case is, well, slicker -- making the iPhone 6 more likely to slip out of your grip than it should be, a little like last year's Moto X was. I had my iPhone 4 for nearly four years without needing a case or bumper to keep it secure in my hand, but I won't take that risk with the iPhone 6. I just need to find a bumper or case that doesn't hide or sully its beautiful design.

The software is what makes the iPhone 6 so compelling

But where the iPhone 6 really shines is in its iOS 8 software. The new OS is full of small but useful improvements, especially for business users, as I've described in my survey of its enhancements to email, contacts, calendars, and texting. But it also includes general improvements that make the iPhone 6 experience much more compelling. 

Thank you for the new Middle-Aged view mode. A bigger screen still leaves text hard to read for many middle-aged folks like me. We want bigger pixels as much as we want more of them, so the iPhone 6 offers what I call Middle-Aged view mode (the real name is Zoomed view, available in the Display & Brightness pane in the Settings app), which makes everything bigger, essentially blowing up the iPhone 5s's screen into the larger physical size of the iPhone 6's screen. The graphics subsystem does the scaling, so there's no display lag as I found when Samsung tried a similar capability via software in its unwieldy Galaxy Note Pro 12 tablet earlier this year.

The image below compares the screen sizes; click it to get a full-size version in a new window.

The progression of iPhone screen sizes, from left to right: iPhone 4s, iPhone 5s, iPhone 6 in Zoomed view, and iPhone 6 in Standard view.

Widgets now can live in the Notification Center. The revamped Notification Center has a separate pane, called Today, for widgets. It shows a summary of the current weather and your day's calendar. To that you can add more widgets; scroll to the bottom of the screen and tap Edit to add or remove them. All apps that have widgets — dozens already do, from Evernote to Dropbox — automatically add those widgets to this screen. A lot of widgets are just quick launchers for their apps, but a few are actually useful, such as those for Yahoo Weather and iTranslate.

The Notification Center's Today screen is where widgets can be added to or removed from.

Keyboards go crazy. Speaking of widgets, iOS 8 also supports extensions, which lets apps interact directly under iOS's supervision. The Box and Dropbox cloud services now have extensions, so app developers can more easily enable direct file access to their services, for example. But the early extensions are mainly alternative keyboards. I don't get the obsession some folks have over custom keyboards, but — what the hey — now you can get them.

Speaking of keyboards, a change I really dislike in iOS 8 is the new emoji keyboard that's enabled by default. The key appears near the spacebar, where it's easy to tap by accident. Unless you live in social media, it's more junk to wade through. You can remove it in the Settings app's General pane's Keyboard section. (I did.)

iOS 8 also offers the QuickType feature that suggests words above the keyboard as you type, so you can select the one you mean before typing it out. It's a feature you'll love or hate, because it can be as distracting as it is helpful. (To disable it, set the Predictive switch to Off in the Keyboards section of the Settings app's General pane.) Here's a tip: You can temporarily hide the QuickType bar by dragging it down, then drag it back up when you want it again — rather than disabling it. 

The Handoff feature is subtler than you might think. The big foundational new capability is iOS 8's Handoff, enabled by default in the Settings app's General pane. I love the idea of Handoff, which lets you start an activity on one device and pick up where you left off on another — a key enabler of the emerging trend I call liquid computing.

But Handoff works subtly, and it's easy to overlook. First, Bluetooth and Wi-Fi have to be turned on, and any devices you want to use it with need to be signed into the same iCloud account. The devices must also be in Bluetooth range of each other. When you start an activity in a compatible app on one device, the other devices "know" that and offer to take over that activity.

That's where it gets subtle. On a Mac, the icon for those apps appears on the left side of the Dock (or will, once OS X Yosemite ships next month). But on an iPhone or iPad, there's no such obvious if unobtrusive notification while you're working. As the figure below shows, Handoff announces apps you can take a handoff from in two places:

• Through a tiny, easily overlooked icon at the bottom of the lock screen. Swipe up to open it.
• In the App Switcher, if you swipe to the left. (Double-press the Home button to open the App Switcher.) Tap the app to open it.

iOS 8's Handoff feature shows apps available for handing off their activity in the left side of the App Switcher (left) and the bottom left of the lock screen (right).

When you open that app via Handoff, any data you're working on is carried over from the other device, such as an event you're adding in Calendar or a message you're composing in Mail. The feature works, if you know to look for it. I think Apple should provide the option for Handoff alerts in the Notification Center to give people more awareness when an app handoff is available. 

The extras Apple has for only the iPhone. iOS 8 brings to the iPhone 4s and later several extras beyond core iOS 8 that I really appreciate.

One is the new Health app, which collects health data from apps and devices that you connect to your iPhone via Bluetooth, such as fitness monitors. But like the iPhone 5s, the iPhone 6 itself is a fitness sensor, so you can immediately capture information like how many steps you've taken and how far you've walked. Most fitness monitoring gear sits unused after a few months, but your iPhone is almost always with you. For those of us who should be more active, the iPhone could be a more realistic way to do so.

The iPhone's new Health app can track your activity from the phone itself.

I also love that the Health app stores your critical medical info and can make it available to anyone via the lock screen's Emergency button. For example, if you're incapacitated, a caregiver can get vital information immediately. What a great idea!

Another cool feature is the new iPhone Cellular Calls feature (enabled in the Settings app's FaceTime panel). If your phone rings, any iOS 8 or OS X Yosemite device you have within Bluetooth range will also ring, allowing you to take the call from it. On an iPad, iPod Touch, or Mac, the phone call is sent via FaceTime over Wi-Fi. There's a lag of a second or so when using this feature, as the voice traffic gets sent between the iPhone and your other device, but it's a great way to pick up a call when your phone is not at hand.

The iPhone Cellular Calls feature is not part of Apple's new Handoff technology, so it works with more old Macs (as long as they run OS X Yosemite) and old iPads and iPod Touches (as long as they run iOS 8) than Handoff does. (Handoff is restricted to Lightning-equipped iOS 8 devices and 2012-and-later Mac models running OS X Yosemite.)

The iPhone 6 also supports automatic sending of phone calls over Wi-Fi rather than the cellular networks. This saves bandwidth for the carriers and provides phone access for you when a cellular signal is not available but a Wi-Fi network connected to the Internet is. However, only T-Mobile in the United States and EE in the United Kingdom have turned on that capability in their networks, so I could not test it. Both AT&T and Verizon say they'll have it in the United States next year. Sprint's network supports the technology, but the company has been silent about enabling it for the iPhone 6, and the store staff I asked had no clue.

InfoWorld Scorecard	Apps and Web(20%)	Hardware(20%)	Platform services(20%)	Security and Management(20%)	Usability(20%)	Overall Score
iPhone 6	8	9	8	9	9	8.6

2/2페이지

Page 2 of 2

Security for work and home

The iPhone 6 and iOS 8 together are a powerhouse when it comes to security if tied to a mobile management server such as those from Citrix Systems, Good Technology, MobileIron, or any of several other vendors. In addition to supporting Microsoft's Exchange ActiveSync (EAS) policies:

• iOS 8 has more APIs for security and management than any platform, BlackBerry excluded (when using its BES server).
• iOS 8 provides a broader set of management capabilities, such as for e-books, than just security management.
• It has vastly more user privacy controls than any other platform — personal security is anathema to Google's business model and not a concern in other mobile OSes, but should be.
• It has hardware-protected biometric security and now credit card security no one else provides.

Nothing comes close to iOS 8's privacy controls over the data gathered by the iPhone's hardware and accessed by apps.

For corporate security, iOS 8 and BlackBerry 10 are essentially tied when used with a management server. Nothing matches BlackBerry's backbone network security, but even those backbones are open to national governments' spy agencies. Most businesses long ago decided they weren't so worried about the backbone anyhow.

What iOS ostensibly lacks is support for the notion of separate device personas, but that's more style than substance given the internal separation possible in iOS between personal and corporate assets. It's telling that persona-separation technologies such as BlackBerry Balance, Divide for Android, and Samsung Knox for some Android devices have gained little uptake despite massive attention.

About the supersized iPhone 6 Plus ...

I was unable to buy an iPhone 6 Plus to test, and Apple declined to loan InfoWorld one for review. But I spent a few minutes with one at Apple's Sept. 9 launch event and a few minutes more with units at several stores this past weekend.

What's different about the iPhone 6 Plus is the size and rear camera. In every other respect, it has all the positives and minuses of an iPhone 6.

The screen measures 5.5 inches diagonally, and the device weighs 6.07 ounces — that's 1.52 ounces, or 33.4 percent, more than the iPhone 6's 4.55 ounces. The rear camera's lens has an optical stabilization feature meant to help overcome the inevitable jitters from trying to hold such a monster device steadily in motion photography. (I could not test that.)

That extra time with the devices didn't change my opinion that the iPhone 6 Plus is too big. It's too much of a handful even with Apple's one-handed display trick (which also works on the iPhone 6): Double-tap the Home button to bring down the screen, so you can reach the top of the screen with your thumb. In most apps, you can scroll down in that diminished screen — but not in all.

The iPhone 6 Plus and iPhone 6 (shown here) let you double-tap the Home button to pull down the app so the top of its screen is more easily accessed by your thumb when controlling the iPhone with one hand.

The iPhone 6 Plus sticks too far out of a men's shirt pocket. That's great for surreptitious video recording, but I'd be constantly worried about it sliding out and falling to the floor any time I bent forward.

However, it's cool that apps can be designed to use all the extra screen real estate in landscape mode on an iPhone 6 Plus, switching to double-column view on Mail, for example, as if they were iPad apps. That's a smart accommodation of the "ablet" part of "phablet," and I wish Android phablets did the same.

I know there are people who love phablets, and who are comfortable using it with two hands all the time. And I know many of the Android makers are falling all over themselves to make each new model even bigger than the last, leading to really grotesque phone sizes. Seriously, people: A 4.7-inch screen is the optimal size for viewing, carrying, holding, and manipulating.

If you really want a micro tablet more than a smartphone, rather than use both an iPhone and an iPad, then I get the appeal of the iPhone 6 Plus. But try out an iPhone 6 Plus in person to see if it's right for you.

The iPhone 6: This is the iPhone you've been waiting for

The iPhone 6 and iPhone 6 Plus are available from the major U.S. carriers — AT&T, Sprint, T-Mobile, and Verizon — as well as from major carriers in Japan, Australia, and much of Europe. (Apple's still waiting for regulatory approval in China.)

The iPhone 6 costs $649 for the 16GB model, $749 for 64GB, and $849 for 128GB — the pricier models offer more capacity than the predecessor iPhone 5s did. Some carriers will subsidize those prices with a $450 discount if you agree to a two-year contract. The iPhone 6 Plus has the same capacities but costs $100 more for each model. The casing colors are the same as for the iPhone 5s: silver, gold, and dark gray. Gone is the M&Ms color scheme of last year's iPhone 5c.

Samsung has derisively congratulated Apple for the new iPhone models, saying "Welcome to 2012." It's true that the iPhone 5 series was too small at 4 inches, and most iPhone users have jealously regarded those bigger competitors. But the iPhone 6 is a much better smartphone than the competitors' offerings. Much of that is because iOS 8 is a vastly superior operating system to Android 4.4 KitKat, and Apple's customizations of iOS 8 for the new phones is smarter and more sophisticated in most cases than what Android smartphone makers have done.

No one can match Apple when it comes to the total package — once Apple commits to that total package. Although a good smartphone, the iPhone 5s was clearly an interim product. The iPhone 6 is the total package — and a great smartphone.

The best password managers for PCs, Macs, and mobile devices

Review: The best password managers for PCs, Macs, and mobile devices

Thanks to high-profile computer security scares such as the Heartbleed vulnerability and the Target data breach, and to the allegations leveled at the government and cloud providers by Edward Snowden, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager. It's one of the easiest too.

A password manager won't shield you against Heartbleed or the NSA, but it's an excellent first step in securing your identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you. A password manager will even randomly generate strong passwords, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables, or brute-force attacks.

[ Also on InfoWorld: The 25 worst passwords of 2013 | 5 ways computer security has truly advanced. | It's time to take another look at security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Many password managers allow you to automatically populate your password vault by capturing your Web log-ins using a browser plug-in and allowing you to store these credentials. Other options for populating your password database include importing an Excel spreadsheet or manually entering your log-in information. Further, using these stored credentials is typically automated using a browser plug-in, which recognizes the website's username and password fields, then populates these fields with the appropriate log-in information.

Although several browsers offer similar functionality out of the box, many password managers offer several benefits over the built-in browser functionality -- including encryption, cross-platform and cross-browser synchronization, mobile device support, secure sharing of credentials, and support for multifactor authentication. In some cases, usernames and passwords must be copied from the password manager into the browser, reducing the ease-of-use but increasing the level of security by requiring entry of the master password before accessing stored log-in information.

Some password managers store your credentials locally, others rely on cloud services for storage and synchronization, and still others take a hybrid approach. Some of the options using local storage (such as KeePass and 1Password) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease-of-use, as well as to whether you're comfortable storing your passwords on the Internet.

InfoWorld Scorecard	Features(30.0%)	Setup(15.0%)	OS support(20.0%)	Ease of use(25.0%)	Value(10.0%)	Overall Score(100%)
1Password 4.0	8.0	7.0	8.0	8.0	8.0	7.9
Dashlane 2.4.1	9.0	8.0	7.0	8.0	7.0	8.0
KeePass 2.26	10.0	7.0	8.0	7.0	10.0	8.4
LastPass 3.1.2	10.0	8.0	8.0	8.0	9.0	8.7
PasswordBox 1.3	8.0	8.0	7.0	8.0	8.0	7.8
SplashID Safe 7.2.3	7.0	7.0	8.0	7.0	7.0	7.2

2/5페이지

Page 2 of 7

If having your critical data stored in a cloud service worries you, then KeePass, 1Password, or SplashID Safe (sans SplashID's cloud service) offer the best options. If you trust cloud-based services with your passwords and believe they will really protect your data using good security practices and encryption, then LastPass, Dashlane, or PasswordBox are your best bets.

In my judgment, KeePass is the best of the options using local storage. The fact that it's open source, free, and complemented by countless plug-ins adds up to a very flexible option. With the right combination of plug-ins, KeePass can be made to do just about anything you could require of a password manager. My favorite cloud option is LastPass, primarily due to its low cost and the consistent implementation of features across all of the clients. Each LastPass client I tested was easy to work with, stable, and remarkably uniform from a usability perspective. Additionally, the fact that a LastPass Premium account is all of $1 per month makes it an extremely compelling option.

But one of these other options might suit you better. Really, you can't go wrong with any of these password managers.

1Password1Password is the brainchild of AgileBits, maker of the popular Knox encryption tool for OS X. Unlike Knox, 1Password offers support for multiple platforms, including Mac, Windows, iOS, and Android.

Like KeePass, 1Password uses a local file to store encrypted passwords. AgileBits does not provide a cloud service for synchronization with mobile devices, but 1Password does support synchronization of the password vault using Dropbox (all platforms) or iCloud (Mac and iOS only). 1Password also supports synchronization over Wi-Fi between Windows, Mac, and iOS clients. Because the 1Password vault is contained in a single file, you gain the convenience of a portable password vault without having to store your passwords on the Internet.

1Password clients allow you to create and maintain multiple password vaults. Multiple vaults can be used to share some of your passwords with another family member or coworker. Secure sharing between 1Password clients is supported, giving you a method to transmit a login (or any sensitive information, such as a credit card number or the answer to a website's security question) to another licensed 1Password user over an encrypted channel. Emailing login information in plain text is also supported, but this information is only as secure as your email traffic.

The cost of using 1Password is markedly different than cloud-based password lockers. Users must purchase clients for each platform they intend to use, costing more up front than a subscription service, but potentially saving money in the long term. 1Password for PC and Mac cost $49.99, while the universal iOS version runs $17.99. The Android app is free with in-app purchases, providing read-only access to your password vault until you purchase the upgrade. AgileBits also provides bundled options for purchasing 1Password for PC and Mac or a five-user family license.

My biggest concern with 1Password has to do with feature parity between the Mac and PC versions. Currently both platforms offer similar features, largely due to a massive update to the Windows version just days before publication of this article. Previously, features such as secure sharing or Wi-Fi sync were nowhere to be found. AgileBits has made good on promises to bring these features to all platforms, but if you're primarily a PC user, the lag may be cause for concern. Regardless, 1Password is a strong password manager. With AgileBits' strong ties to the Apple community, this is particularly true for Mac and iOS users. 

1Password stores your passwords in a local file, but supports synchronization across devices using Dropbox and iCloud.

3/5페이지

Page 3 of 7

Dashlane
Dashlane toes the line between cloud service and local password manager in an attempt to answer every security concern. You can store your password database on Dashlane's servers and take advantage of synchronization across devices, or you can store your password vault locally and forgo synchronization. It's your choice.

If you store your password database in Dashlane's cloud, your master password remains with you only. Rather than storing a hash of the master password on its servers, Dashlane claims to use your password merely to encrypt and decrypt the data locally. For this reason your password database on the Web is read only, and changes can solely be made on a client.

Authentication is performed against devices that are registered with Dashlanethrough a two-step process, incorporating your master password and a device registration code sent via email. Two pricing tiers are offered for Dashlane users. A free account allows access to your passwords through a single device of your choice. Premium accounts, which cost $29.99 per year, let you synchronize your passwords across multiple devices, give you access to the read-only Web app, and entitle you to Dashlane's customer support.

With Dashlane, retention of your master password is critical. The company states that it is unable to perform password recovery in the event of loss, a necessary side effect of its decision to not store a copy of your password in any form. Two-factor authentication is also supported through the use of Google Authenticator. Support for two-factor authentication must be enabled through the Windows or Mac client and can only be used on Internet-connected clients. Dashlane's secure sharing process combines an email containing a link and an access code, both of which expire within a short period of time. It's the best approach to secure password sharing I've seen.

Because Dashlane attempts to be a hybrid of a cloud-based and local password manager, it isn't as full featured as other cloud offerings, and it may not win over customers fearful of cloud services. However, Dashlane has been able to accomplish something truly remarkable through no small amount of ingenuity and attention to security precautions. Before you dismiss Dashlane because it's a cloud-based service, take a look at the company's security whitepaper, which details the concepts and security practices it has implemented.

KeePassA mature open source project (GNU GPL version 2), KeePass is a free password management solution for Windows, OS X, or Linux, running natively on Windows and requiring Mono for the other platforms. Many of the benefits of open source software are prevalent in KeePass, including ports to other client operating systems and a robust plug-in ecosystem. With the extensibility offered by plug-ins for KeePass, you can change the encryption algorithm, automate logins through your browser, integrate an on-screen keyboard, or even create scripts you can run against KeePass.

KeePass was designed to store a local copy of the password vault. Cloud backup and support for synchronization across multiple devices are obtained through plug-ins that work with the likes of Dropbox, Google Docs, and Microsoft OneDrive. A side benefit of a local password database such as KeyPass is the ability for multiple users to share a database or for one user to keep multiple databases, sharing some and keeping others private.

With KeePass, you can lock your password vault using a combination of password, key file, and Windows authentication.

Mobile support for KeePass is a little more obtuse than some of the commercial options. Ports are available for iOS, Android, and Windows Phone, but the big question becomes synchronization support. Not all mobile ports support cloud synchronization, and those that do support only a subset of the cloud options. Some mobile KeePass clients carry a cost, though most are in the $1 to $2 range.

4/5페이지

Page 4 of 7

If you're more concerned about the security of your password vault than mobile clients and device synchronization, you'll be pleased to know that KeePass supports multiple authentication methods by default. KeePass database files can be locked by a combination of password, key file, and Windows user account. With a key file stored on removable media such as a USB thumb drive, two-factor authentication can be used to secure access to your critical passwords.

The biggest downside to KeePass is complexity. Getting all of the advanced functionality offered by the competition will require quite a bit of research, setup, and maintenance. While KeePass is a great solution for fans of open source, maximum flexibility, and free software, it is certainly not as straightforward as some of the cloud-based services listed here.

LastPass LastPass may be the most popular password manager in this review, due to a rich set of features, support for a wide range of mobile platforms, and straightforward licensing, not to mention aggressive marketing. Unlike KeePass, LastPass is decidedly cloud-centric, using its own cloud service to store user information and synchronize data.

LastPass offers a free and premium pricing tier for consumers, with the premium service costing just $1 per month. Users of the free edition get many of the basics you'd expect from a cloud-based service, including plug-in support for multiple browsers, anywhere access, and even support for multifactor authentication using Google Authenticator on an Android or iOS device or Microsoft Authenticator on Windows Phone. Mobile device support requires a premium account but includes support for iOS, Android, BlackBerry, and Windows Phone. Even some mobile browsers such as Dolphin and Firefox Mobile work with LastPass Premium to automate username and password entry. Finally, premium users get access to the LastPass support team, rather than being relegated to the user forums.

LastPass offers handy functionality for sharing accounts with friends and family. The free service allows you to selectively share account login information with other LastPass users, allowing them to authenticate to individual Web applications using your information, without giving them direct access to your passwords. Premium account subscribers get access to a Family Folder, a feature that lets you specify exactly which login information to share with up to five other LastPass users.

Desktop support for LastPass is somewhat confusing. Downloading the basic installer for Windows provides browser plug-ins, an import tool (for migrating from another password vault or spreadsheet), and a shortcut to the LastPass Web app. Premium subscribers also have access to LastPass for applications, which provides increased utility by allowing you to automatically log into desktop applications such as Skype or a corporate VPN client.

LastPass is a cloud-centric password manager with an abundance of features and mobile clients.

5/5페이지

Page 5 of 7

LastPass supports several forms of two-factor authentication. I've already mentioned that both Microsoft Authenticator and Google Authenticator are supported with free accounts, providing simple integration using a mobile device. Premium accounts gain support for Yubikey, a USB hardware authentication device, and Sesame, a software authentication tool run from a USB storage device.

If you need simple password management in a Web app, you can't go wrong with a free LastPass account. For more granular credential sharing and mobile device support, LastPass premium will be the best $1 you spend each month.

PasswordBoxPasswordBox bears a number of similarities to Dashlane. Master passwords are neither stored nor transmitted, meaning that password data is secured throughout the process, and password resets are technically impossible. PasswordBox even takes extra steps to ensure the security of your information in other ways, such as PCI-compliant data centers and providing the ability to send the company encrypted email using the PGP key published on its website.

PasswordBox is currently missing some of the features available in Dashlane, such as two-factor authentication, but both two-factor and fingerprint-based authentication are reportedly coming soon. You can read about the security measures PasswordBox uses to safeguard password data in the company's security whitepaper.

PasswordBox does not use stand-alone client programs on Windows and Mac, opting instead for browser plug-ins (Chrome, Firefox, and Internet Explorer), but mobile apps are available for both iOS and Android. Another minor oddity: PasswordBox doesn't offer a Web app to view or edit passwords or manage your account -- everything is handled via mobile app or browser plug-in.

PasswordBox is priced competitively with the other cloud-based password managers. Free accounts support up to 25 stored passwords, including synchronization and full sharing capabilities. Premium accounts cost $12 per year and give you unlimited password storage. Referring five friends nets you a premium account for life.

PasswordBox allows users (free or premium) to share saved log-in information seamlessly between accounts, even without the passwords being visible. Shared log-ins persist even through password changes, and they can be revoked at any time. An interesting and unique feature of PasswordBox is the Legacy Locker, which allows you to designate one or more responsible parties who get access to your account information in the event of your death. Account transfers using Legacy Locker are not performed until a death certificate is provided and validated.

For truly cutting-edge security, PasswordBox has partnered with the soon-to-be-released Nymi authentication device. The Nymi wristband measures your cardiac rhythm to offer three-factor authentication to PasswordBox -- using your master password (something you know), your Nymi wristband (something you have), and your heartbeat (something you are). The Nymi can be pre-ordered for $79, and it will include a premium PasswordBox account for life.

PasswordBox stores your passwords on its servers, but they're never decrypted there. Passwords can only be viewed and edited using the browser plug-in or mobile client.

Page 6 of 7

SplashID SafeSplashID has been in the password manager business for years. Its product, SplashID Safe, has been particularly popular on mobile devices. Currently SplashID Safe supports access through the Web and client apps for Windows desktop, Windows 8, Mac, iOS, Android, Blackberry 10, and Windows Phone.

Where other password managers are either local or cloud-based, SplashID Safe supports either option. The SplashID cloud service allows you to synchronize your password vault over the Internet for $1.99 per month or $19.99 per year. For users who don't want to store their password vault in the cloud, SplashID is available in a version that supports manual synchronization over Wi-Fi (for a one-time cost of $29.99) or a no-sync version for $9.99.

For an additional $5 per user per month, families or businesses can leverage SplashID Safe Teams edition, which adds an admin panel that allows you to control who has access to each record, either by assigning a record to an individual user or a group of users. Note that the Windows 8 client is not currently supported in the Teams edition.

SplashID Safe has at least one feature we wish all the cloud-based services would implement: the ability to configure a login as local only, giving you the ability to prevent your most sensitive data from being stored on the Internet. The idea is that if you have certain login information or other sensitive data you don't trust to the Internet, you can prevent this information from being uploaded to SplashID's servers.

SplashID Safe lets users share login information by sending an email containing a link to retrieve the information. Links to shared information are secured with a password (which can be included in the email or shared using another method), are valid for only 24 hours, and expire after the first use.

Two-factor support in SplashID only provides an extra layer of security when registering a new device (not on each login), requiring you to enter a six-digit code sent via email. While a registered device paired with a password technically meets the definition of two-factor authentication (something you have and something you know), it's not quite up to par with services offering support for Google Authenticator or other two-factor methods. SplashID Safe offers a pattern unlock feature as an alternative to a master password, but I found this feature to be somewhat inconsistent.

Other contendersIt's always nice when a security product is backed by a brand synonymous with computer security, and Symantec's Norton Identity Safe certainly has that factor in its favor. Identity Safe has another plus: It's completely free. You have a number of free password managers to choose from, but none are cloud services operated by a software vendor with a level of trust built up over decades. Norton Identity Safe used to be part of a Norton security suite, but it's now a stand-alone service with a Web front end and clients for Windows, iOS, and Android.

RoboForm is a popular password manager and form filler, but it falls short of the leading contenders on a few counts. Though it offers synchronization across multiple platforms, there is no Web app, two-factor authentication, or sharing capability. Individual RoboForm desktop licenses can be purchased outright for Mac or PC at a price of $29.95, and a Windows portable version for USB storage is available for $39.95. RoboForm also offers subscription-based licensing for $19.95 per year, which provides synchronization and access through mobile apps on iOS, Android, Windows 8, and Windows Phone.

2/2페이지

Page 7 of 7

KeePass isn't the only open source password manager. There's also Password Safe, currently available for Windows in both installable and portable versions, and for Linux in a beta version. Password Safe is not nearly as feature-rich or mature as KeePass, and I'd be hard-pressed to give you a reason to use it over its big brother. That said, Password Safe is a viable alternative, and if all you need is a local password manager, the decision may come down to which program you find easier to use. The result may be Password Safe.

My1Login has both a free version, supported through advertisements and affiliate links to partner sites, and a pro version, which eliminates the ads and affiliate links for $2 per month. My1Login offers features commonly found in the other contenders such as secure sharing and strong password generation. The problem with My1Login is that the entire service is Web-based, with mobile support coming through the mobile Web app only. While My1Login is enthusiastic about the minimal setup requirements due to the lack of client applications, I find this method to be more difficult to use in the long term.

Keeper Backup is full-featured password manager supporting multiple client platforms, including Mac, Windows, iOS, Android, and Windows Phone. Security features offered by Keeper Backup include two-factor authentication and secure sharing. Keeper offers three pricing tiers, starting with a free edition that supports one device, no sharing, and a limited amount of data. Keeper Backup provides unlimited storage, access to the Keeper Web app, secure sharing, and access to the support team for $9.99 per year. Backup Unlimited adds support for synchronization across devices for a heftier $29.99 per year.

Trend Micro's DirectPass has a free option that supports only five passwords. Trend Micro's subscription service, which costs $14.95 for one year or $24.95 for two years, supports an unlimited number of passwords and devices. Desktop clients are available for both PC and Mac, and mobile clients are available for iOS and Android. While there's nothing wrong with DirectPass, it doesn't match other competitors in features or polish.

The 25 worst passwords of 2013: 'password' gets dethroned

"123456" is finally getting some time in the spotlight as the world's worst password, after spending years in the shadow of "password."

Security firm Splashdata, which every year compiles a list of the most common stolen passwords, found that "123456" moved into the number one slot in 2013. Previously, "password" had dominated the rankings.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

The change in leadership is largely thanks to Adobe, whose major security breachin October affected upwards of 48 million users. A list of passwords from the Adobe breach had "123456" on top, followed by "123456789" and "password." The magnitude of the breach had a major impact on Splashdata's results, explaining why "photoshop" and "adobe123" worked their way onto this year's list.

Fans of "password" could reasonably petition for an asterisk, however, given that the stolen Adobe passwords included close to 100 million test accounts and inactive accounts. Counting those passwords on the list is kind of like setting a home run record during batting practice. Don't be surprised if "password" regains the throne in 2014.

Weaker passwords are more susceptible to brute-force attacks, where hackers attempt to access accounts through rapid guessing. And when encrypted passwords are stolen, weaker ones are the first to fall to increasingly sophisticated cracking software.

As always, Splashdata suggests avoiding common words and phrases, and says that replacing letters with similar-looking numbers (such as "3" instead of "E) is not an effective strategy. Instead, consider using phrases of random words separated by spaces or underscores, and using different passwords, at least for your most sensitive accounts. Password management programs such as LastPass, KeePassand Splashdata's own SplashID can also help, as you only have to remember a single master password.

Here's the full list of worst passwords from 2013, according to Splashdata:

1. 123456

2. password

3. 12345678

4. qwerty

5. abc123

6. 123456789

7. 111111

8. 1234567

9. iloveyou

10. adobe123

11. 123123

12. admin

13. 1234567890

14. letmein

15. photoshop

16. 1234

17. monkey

18. shadow

19. sunshine

20. 12345

21. password1

22. princess

23. azerty

24. trustno1

25. 000000

This story, "The 25 worst passwords of 2013: 'password' gets dethroned" was originally published by PCWorld.

Security industry wasn't proactive in disclosing Regin malware

The Regin malware was well written and designed to conduct cyberespionage, likely launched by the NSA and GCHQ

After details of the sophisticated Regin malware was published online, there was concern that security companies didn't do enough to protect Internet users from the threat. Since it was released years ago, it took some time before Symantec reportedly identified - and included it in detection systems in December 2013.

However, it would appear Symantec identified Regin sometime in 2010 and it was labelled a Trojan in 2011, while F-Secure identified parts of the malware in 2009, with Microsoft learning of it in 2010.

"Symantec has been monitoring Regin for some time," Symantec recently told Forbes. "However, it has taken some time to gather all necessary components so that we can build a good understanding of the threat. We have also been monitoring for any further activity and attacks. Since no further information has come to light we have made the decision to release our findings publicly."

The Regin malware was likely created by the NSA and GCHQ - considering the US and UK priority on surveillance - cybersecurity experts wouldn't be overly surprised if the two countries were behind the code.

Did The Security Industry Fail To Protect The World From Regin?

Comment Now 

Follow Comments 

Symantec SYMC +0.08%, the world’s number one supplier of anti-virus software, first began looking into the super-smart Regin surveillance tool in the fall of 2013 and added it to its detection systems in December of that year. Not a bad turnaround, right? Maybe not.

The firm told me over email: “Symantec has been monitoring Regin for some time. However, it has taken some time to gather all necessary components so that we can build a good understanding of the threat. We have also been monitoring for any further activity and attacks. Since no further information has come to light we have made the decision to release our findings publicly.”

But Simon Edwards, who runs anti-virus testing business Dennis Technology Labs, did some quick research today showing that Symantec was actually detecting components of Regin back in 2010 and had labelled it a Trojan in March 2011. That was the same time Microsoft MSFT +0.59% had picked up on the malware, thought by various sources I’ve spoken with to be a product of GCHQ and National Security Agency hackers. But there’s something odd about that initial Microsoft detection: it didn’t include any technical information. Microsoft’s systems evidently saw Regin was doing something bad, but then no human analyst decided it was worthy of attention. Another anti-virus provider, F-Secure, told me it had started blocking components from as early as 2009, whilst admitting on Twitter TWTR +3.45% the firm had been asked by a customer, not a government body, to not publicly divulge information on Regin.

Here’s something a little more perplexing: Symantec has given Regin the lowest possible risk rating and only a “medium” score for its “damage rating”. That’s likely because only 100 or so machines have actually been hit with Regin. Microsoft, meanwhile, gave it a “severe” rating three years ago. Such mixed messages don’t fill onlookers with confidence. Let’s remember this is a piece of malware that reportedly infected systems at Belgacom, a major ISP that provides services for the European Union, and one of the world’s top cryptographers, Jean-Jacques Quisquater.

This would all indicate AV firms’ technology did an adequate job at figuring out if something was malicious and then blocking it. But neither the tech nor its owners were quick to figure out just how severe a threat Regin was, hence Symantec’s bizarre statement that it wasn’t detecting until last year. Nor were they able to expose Regin as a nation state-sponsored malware as fast as they might. And they were either afraid to say it outright or didn’t have enough hard facts in front of them: this was the work of GCHQ and/or the NSA.

Perhaps if their threat data sharing mechanisms were better, they would have pieced the Regin puzzle together sooner. And maybe it’s time we saw the same high-quality anti-virus as something that comes as standard with every computer and phone. That would require more standardised data sharing across companies. They would, of course, have to find other ways to remain competitive. But it would make us all that much more secure from nation states with too much funding and time on their hands.