Shocking: Masterpassword will automatically send in background to splash-id server
After update splash-id to V7 on my iPhone I had to (MUST!) to confirm, that the app send my eMail-adress to the splashid.com Server for validation. From this point in time a SplashID Safe Personal Edition account was created to log-in to https://www.splashid.com/personal/webclient/. That I don't wanted, but ok. But then the shocking item. Everytime if i changed my application password in the iOS app or the desktop client, the password https://www.splashid.com/personal/webclient/ was automatically changed, too!!! That means, that the apps transfer my private application password to their Servers. This is inacceptable! According to german laws this is criminal. Because splashid.com And now... I have to throw the app away. Changing all passwords, asking for a new credit card.... I'm shocked
Originally Posted by richterwk
Your master SplashID Safe password is never stored on any of our servers.
What is stored is the so-called hash/salt of your password, without which you would not be able to log in. Also, we do not have any access to your data - you are the only person that can access it.
You can see more info on our Security Policy here:
The password changes on all devices and Cloud to make working with the new 7.0 seamless and easier for our customers, it is not a security breach.
If you don't want to use our Cloud Sync solution, you can also use WiFi Sync, which stores nothing but activation/license info on our servers.
Please tell me if that helps or not. Please tell me if you have any other questions.
Thank you for the quick answer. It is good to hear, that you only transfer the hash of the password (but nevertheless - i would like to switch this off).
I will only use the app on my iPhone and Windows desktop using Wifi Sync. I don't want a cloud account (SplashID Safe Personal Edition account). I never will store my password data in a cloud.
How can i delete the account for https://www.splashid.com/personal/webclient/ and switch off the transfer of the password hash to your servers?
Thank you very much!
I agree and want to delete my online account - in addition it seems to slow the Apps down, on both the iPad and iPhone the Apps start-up seem to start up quicker in Airplane Mode - switch off the look up to your servers and we'll all experience a faster App... Many thanks
"If you don't want to use our Cloud Sync solution, you can also use WiFi Sync, which stores nothing but activation/license info on our servers."
nikolai, i am unclear on this. i've ONLY used the local wifi sync, in the past, and currently with the new version. i had an online account with the same email address as my apps (and mac program), but a different password. today, when i tried to log into that account, per the congratulatory email from you, i was unable because i was using that same password. then, on a lark, i tried the same password as my apps and it worked. so somehow, that password IS in your system to access the account.
I'm also upset!
Originally Posted by Nikolai
I totally agree with author richterwk.
I do NOT want any of my splashdatafiles nor password to be stored somewhere other than on my own laptop and phone. This was the reason i have chosen for splashid at the time of purchase because I was told this was the way it works.
I repeat I do NOT want this and I did not give you permission to transfer my password to your systems.
Why on earth did you do this without asking for my permission? This is highly illegal and unacceptable! I feel like, no you HAVE been stealing my password!! No matter what you are saying about hash or salt, I don't even know what that is. It's obvious you DID take my password otherwise I wouldn't be able to login on some webclientpage of yours that I didn't ask for.
How can you make sure that this data is removed from your servers, because that's what I want you to do.
Sorry, but you contradict yourself. You DO store the PASSWORD HASH in addition to the activation/license info. And that puts a critical piece of information on your servers. Cracking a hash is a real threat, so I do not want hashes for critical passwords like the master password where they do not need to be. For a security app this behavior is simply unacceptable as it creates an unnecessary risk. If I chose WiFi sync it means do not store ANY information that can be used to help an attack on your servers without my consent. Having no way to disable the password sync is a really bad design choice.
Originally Posted by Nikolai
Luckily I was able to downgrade back to version 6. I hope you come to your senses and provide an update soon that will disable this behavior.
For me too, storage of any part of my password data in the cloud is a deal breaker. I do not want you or anyone else to have my password or its hash.
What may not be a security breach to you is a breach of faith to some of your customers.
I agree. I don't want the hash for my master password stored online. I realize that it would be very difficult to break the hash if someone were to gain access, but why put it there if it serves no purpose and adds no benefit to WiFi only users? It's more secure for my password to no be online at all in any form than it is to have the hash stored online.
The only reason I didn't switch to 1Password over the past few years is because I didn't want any of my passwords online. Now my mater password is being stored online, without my consent.
I want my online account deleted. How do I do that?
I totally agree...
I totally agree with the other posters here. This is an absolute breach of trust on SplashData part. If people are choosing to keep their data private then they mean all of it. ESPECIALLY the master password (hash included).
Also don't try and remove you online account. It deletes your purchase history, and then you are still forced to make a new account or the app goes in to read only mode. which exaggerates this issue even more with another call home function.
This poor design choice needs to be fixed.
Tags for this Thread