SplashID Alternative: Migrating from SplashID to the STRIP password manager on Mac OS X

2012-03-18 16:52:50 -0400

Update 3/21/2012: We've released a graphical tool for Windows and OS X called Convert to Strip since we published this article. It's for converting your SplashID (or 1Password) data to STRIP's CSV format, read about and download Convert To Strip here.

At BlackHatEU last week, ElcomSoft presented a paper where they demonstrated attacks on several popular Password Managers. One of the most critical flaws was identified in SplashID, a popular password manager for iOS. The researchers found that a global key was used to encrypt the master password, rendering it instantly recoverable. A working exploit has already been published.

In light of this critical problem, there has been some interest from prospective customers in migrating to STRIP, which was recognized at the same conference as the "most resilient to password cracking" and one of the only applications that properly implemented strong cryptography.

To help support migration of users from SplashID to Strip, we we developed this conversion script that can run through the SplashID file and create a CSV file that you can import into STRIP Desktop or the free StripSync helper app. The following example assumes some familiarity with the Terminal app for OS X, that the SplashID export file is named "SplashID Export.vid," and that it's in the same directory as the Ruby script.

Note: There is now a free conversion tool available for windows too!.

0. Download the script and save it to your Desktop

Download this zip file containing convert.rb and expand it. Copy the convert.rb file to your Desktop.

1. Export the SplashID data

Launch SplashID Safe and login. Once the application is unlocked, go to the File menu and select Export, then SplashID vID.

On the panel that appears (below) select Export all records, and un-check Export Attachments. Keep the suggested name for the file, click on Where to select your Desktop, and then Save. When prompted, enter a blank password.

2. Convert the data

Open the Terminal.app and enter the following commands:

    cd ~/Desktop
    ruby convertb.rb

You should see output similar to the following:

    $ ruby convert.rb
    Examining SplashID Export.vid...
    We've found 11 entries, composing output...
    Your file strip-import.csv is ready for import into STRIP!

3. Check the data

There is now a 'strip-import.csv' file on your Desktop. You can open it in a spreadsheet editor to check its contents (e.g. OpenOffice.org, Numbers, Excel), or open it in a simple text editor. It's always a good idea to check the data over before importing it into STRIP.

In my case, since I already had data in STRIP, I set the Category to "SplashID Data" in the spreadsheet for each row so that all the new entries would show up together in the next step.

4. Import the data into STRIP

Log into STRIP, go to the File menu, and select "Import...", and choose the strip-import.csv file on your Desktop.

Once you've checked that everything looks OK in strip you should delete the two plaintext import/export files and remember to securely empty your trash.

About Zetetic

Zetetic LLC is a small company specializing in applied data security. As the developers behind the SQLCipher encrypted database library and Codebook Password Manager, hundreds of organizations and millions of users trust Zetetic’s software and frameworks.

Recent Posts

Search Other Posts