The longer and more complex it is, the longer the cracking process will be. But avoid using obvious substitutions such as “$tr0ng” where you replace s with $ and o with 0. Substitute numbers with letters, thus making it easier for you to remember. The mixture of numbers, characters, symbols makes it hard to crack. Avoid using similar passwords that only a single word or character is changed. Use one that has at least 16 characters, one number, one upper letter, one lower letter, and one symbol. Using a week password puts all of your data at risk. Do not include information such as your birthday, address, anniversary, birthplace, school, etc.
Personal information is easily discoverable. So, be careful about choosing unique and different ones for your accounts. Hackers try the same combinations on different platforms. That decreases the possibility of breaking your account. Software backed keystore is deprecated from android 7+.The first and the most important tip is making your password unique for each of your accounts. The keys are encrypted with the screen lock pin/pattern/password but if you remove this lock the keys are decrypted. Software backed keystore keys can be found in /data/misc/keystore/user_0/. Software backed keystore cannot verify device integrity as its private key is not secured in tamper-resistant isolated storage. If the device integrity is broken, web service can refuse service to the client. Root cannot tamper with TEE signed data without knowing its private key or without Google certified public key. Then they can certify this information using their private key and send it to the web service. What hardware backed keystore and strong box can do is to securely verify device integrity such as whether chain of trust is custom, whether bootloader is unlocked, hash of OEM public key, hash of /vbmeta image, etc. A code injection by root user can dump anything in memory which is supposed to be secured. It doesn't matter how sensitive data is secured, it has to be loaded in memory in order to be used by the app. Any app with root privileges can impersonate other apps and have their sensitive data decrypted or signed by the keystore by issuing a legitimate request on behalf of other apps and system. Keystore saves cryptographic blobs of apps for encryption, signing, attestation and authentication. Strong box, hardware backed keystore and software backed keystore cannot protect sensitive data from getting compromised by root user.
0 kommentar(er)
