What is the Default Encryption Strength?

[Mykec]

Hello I was wondering if anyone knows what is the default encryption strength used for keeping records private. I’m asking because I currently keep all my cc#s and passwords in just 1 private password protected memo (Is this a good idea?). I know there is 3rd party programs, I’m trying to avoid using on of those apps. Also does anyone know of how easy or hard it is to break into someones private records? I’m just trying to see how secure my data is “out of the box” and if I should install a 3rd party Wallet Type app.

Thank You In Advance

[Mykec]

I think I found the answer to my question heres a article from 2001 so some of this info may be out of date. Please let me know if you know.
It's from Epininions (sorry cant post link since new mbr)
but do a google search for "how secure is your palm data" should bring it up

Your Palm isn't as secure as you think... - What Should You Know About PalmOS PDAs -
Your Palm isn't as secure as you think...
Aug 27 '01 (Updated Sep 05 '01)

The Bottom Line You should make yourself aware of the potential ways that security holes in the Palm OS can be exploited, so that you can protect the data stored on your PDA.

The Palm (and other PDA's) are becoming a ubiquitous tool in today's fast-paced business world. You see lots of people use them in meetings, on the road, on the subway, in the office, and just about anywhere you go. They are truly useful devices (I have one myself) as you can store all of your life's information in them. However, as handy a place as it is to keep all your data, there is something that you should know about.

That issue is about security. Now most people are not aware that the Palm Operating System is NOT a secure place to keep your private data, even with the use of the included security application and system lockout. To demonstrate these weaknesses, I will give several examples of software and/or websites that exploit these weaknesses to bypass the security entirely. Please be clear that PDA's from several manufacturers use the Palm OS, including Palm, Qualcomm, Kyocera, Handspring, and Sony.

I was made aware of these issues last week when my boss' Palm became locked and he couldn't remember the password. Plus he hadn't sync'd in over 3 months! Searching the Internet for a solution to crack it really opened my eyes to the insecurity of the Palm platform.

Private parts
In the first example, consider a Palm to which a password has been assigned and several records been marked "private." Under normal circumstances, these records cannot be viewed unless the password has been entered. However, in this state the Palm is very insecure and programs can be loaded (or sync'd) onto the Palm. Take the program called pCrack available for download at this tiny program can be quickly loaded on a Palm, used to decrypt and display the password on the screen, then the pCrack program can be deleted without the PDA owner's knowledge. You can download the program and try it yourself. This is very dangerous since most people do not change their passwords on a frequent basis unless forced to by a system administrator. Once a person has your password, they can access the private data on your Palm on a regular basis.

Barn door left wide open
In the second example, let us consider a Palm which has been placed in System Lockout mode. (i.e., my boss!) This can be activated by going to the Security application and picking "Turn off and lock." In this state, the Palm is fairly secure since no programs can be sync'd to it and it will not do anything until the password is entered. However, even this is not 100% secure. A document located at
explains how to download a file off the Palm even while it it is in system lockout. That file can then be decrypted at the attacker's liesure as it uses a very weak encryption algorithm. In this manner it is very easy to obtain the password. I can attest that this works, as I have been able to crack the password on my own Palm using this method!

Beam me up, Scotty!
In the third example, a simple program called NotSync, explained in further detail here: can zap data off Palm Pilots - V3.co.uk - formerly , can allow anybody to download your password using the infrared ports on your and their Palm devices! It does this by fooling the targeted Palm into thinking it is HotSyncing with it's desktop cradle. In reality, it is sending the HotSync handshaking information (which contains the password) to a malicious Palm user instead!

Du-uh
In yet another example, Desktop Password Bypass Vulnerabilityexplains a rather trivial "hack" that can be used to bypass the password of the Palm Desktop software entirely, allowing anybody to read all your private records!

What can I do?!?
So you're probably wondering, This is pretty scary! what can I do to protect myself? There are several steps to take:

Make sure you have an assigned password
In the Security application, ensure you have assigned a password. If you do not, then anybody can come along, assign a password, and then lock your Palm. At this point, you will have to either do a hard reset (and lose everything) or try hacking into your Palm using one of the methods described above.

Turn off your infrared port
By going to the Preferences application, you can disable the infrared port. This prevents people from beaming your password off your Palm. Most people don't use the infrared port on a regular basis, so this isn't a big deal for most.

Don't store sensitive info in the first place
I know it's so convenient to use your Palm to store stuff like your Social Insurance Number, credit card numbers, passwords to Internet sites (like epinions.com) and the like. But if you don't have anything like that on your Palm, then there's nothing to be hacked.

Physically Secure your PDA
Leaving your Palm lying around is asking for trouble. Keep it on your person at all times if you can. Otherwise keep it locked up in a desk drawer or at least in a briefcase. Worse is if somebody steals it outright, even if they aren't interested in the data it might contain.

Use a third party encryption package
You can store private information on your Palm and keep it that way, through the use of third party software using stronger encryption than what is found standard on the Palm. I use a program called STRIP, which stands for Secure Tool for Recalling Important Passwords. I use it to store all my passwords, PIN numbers, credit card numbers, and other private information that I don't want anyone to see. I can trust it since it uses 256-bit DES encryption, which is a very strong encryption scheme that would take a very long time to crack (in the order of years). This program is freeware and it can be downloaded here:

If you're really paranoid, you can download 4Tnox from here: The Best Search Links on the this program is similar to STRIP except it uses 448-bit encryption. This encryption is not likely to be cracked in your entire lifetime. 4Tnox is available as shareware.

You should make yourself aware of the potential ways that security holes in the Palm OS can be exploited, so that you can protect the data stored on your PDA. I hope you have found this information useful so that you can trust your PDA to keep your secrets secret, the way it should be!

I want to hear from YOU!
If you are aware of any other security exploits which I have not written about in my review, please post them here and I will rewrite my review to include them!

Thank you for your support.

[eclair]

Very interesting article. I don't think I would keep my #cc info on a device without strong incryption. I would keep it on an SD card in a hidden file, which doesn't even show up to the unknowing observer. There is a moral though; don't leave your treo alone. There are some great looking incryption apps in the Treonauts store I have been looking at. You've inspired me to get off my duff and place an order!

[Mykec]

Thanks for the Reply. Also I just wanted to make clear that I hope I did not alarm anyone. I’m pretty sure or hope what’s mention in the article has been fixed by Palm. Since the article was from 2001. GO PALM CENTRO