Response from Agilebits (publisher of 1Password) to this paper: <a href="http://blog.agilebits.com/2012/03/16/strong-security-requires-strong-passwords/" rel="nofollow">http://blog.agilebits.com/2012/03/16/strong-security-require...</a>
Wow, some of these are amazingly insecure. It's really incredible that at least one of the developers of a paid security app stores the master-password encrypted (not-hashed) using a hardcoded private key.
In short, protect your device from physical access by untrusted people, and don't connect it to untrusted machines. Use a PIN or device password just in case someone else does get ahold of your device.
One Ring to Rule Them All... but seriously, interesting article; I think more interesting is the phone log-in password that all smart phones now have. I just read an article where the DOJ subpenaed Google to unlock an Android based phone because after several weeks of working on the log-in, they still couldn't get in. If you think about it, Password management software for your phone is really protected by 2 systems, the one native to your phone and the apps own security systems. Although, yes, some of these apps are essentially bunk.
Conclusion from the article:<p>"Many password management apps offered on the market do not provide adequate level of security. We strongly encourage users not to rely on their protections but rather use iOS or BlackBerry security features.<p>For Apple users: set up a passcode, and a (complex!) backup password. Do not plug the unlocked device to computers you do not trust to prevent creation of pairing. If you can't encrypt backup for some reason, restrict access to it as much as possible."