In the following we'll address frequently asked questions
about the Tresør application.
PIN storing doesn't
On some phones
you need to move the application to the phones
and exporting password files (JSR 75)
On most phones
you need to give the application the right to
read and write data before import and export works.
Out of that, check with your phone manufacturer that your phone supports the optional
JSR 75 (PDA Optional Packages for the J2ME® Platform) functionality.
Why exits the application after 2 minutes?
It's a security function to
exit the application after 2 minutes of inactivity. This protects
your data in case you leave your phone with the application
started and PIN entered somewhere unwatched.
The backlight of the
display goes off before I can finish copying my password.
Can you change that?
There is no manufacturer
independent way to accomplish this. You'd have to change the
general display or power saving settings of your phone.
How can I protect myself from data loss?
Export your passwords often to your micro SD
storage and/or to your desktop computer.
How can I migrate my data to a new phone?
Follow these steps:
Export your passwords on the old phone,
move the export file to your new phone (using your PC),
install Tresør on the new phone,
import the file on the
new phone using the newly installed Tresør application.
How easily can my master PIN be cracked?
The longer your PIN is the better. Internal
testing in 2010 with current consumer hardware
has given the following numbers for a brute-force-attack:
Time to crack
Please note that the numbers may differ in a big
magnitude if the attackers have good equipment
and good IT skills.
How many digits should my PIN have?
If you lose your cell phone or it gets stolen
you should have enough time to disable your bank and web accounts. Take a look
at the table above and add some extra safety.
I've forgotten my PIN. Can you help me?
It's our policy to not crack or help cracking
PINs and break laws.
How secure are my passwords?
The passwords are encrypted
using the AES-256 algorithm with a random initialization
vector and SHA-256-hashed PIN. The PIN hash itself is not
stored to avoid rainbow table attacks.
Can a thief extract
the passwords to his PC without the PIN?
It depends on your
mobile phone implementation. You should calculate
that he can.
Why is the PIN
numeric? An alphanumeric PIN would be more difficult
Restricting the PIN to be numeric speeds up
application usage on numeric keypad phone models.
On this type of phones the risk of mistyping
alphanumeric PINs is much larger.