A brand new and very handy Audit feature has just been released to the App Store! Here’s a little more detail on this much request feature.

Details screen indicating a weak password (‘princess’ is a very common password!)

The Audit feature is designed to detect and highlight weak or compromised passwords so that you can take whatever action you feel is necessary to maintain your security. The Audit is performed by a new component imaginatively named the Auditor. When you unlock your database using your master credentials (or Face ID/PIN code), the auditor begins checking your entries for weaknesses. If it finds an issue it highlights it in the UI like this:

Browse Screen showing an entry with an audit issue

Audit Checks

The Auditor checks for 4 types or categories of weak passwords:

  • No or empty password
    • This checks for entries that have no password at all. This may not suit some users. Some people do not set passwords on all entries.
  • Duplicated passwords
    • This checks if a password is ever duplicated, i.e. used by more than one entry in the database. Ideally one should never reuse a password.
  • Well known or common passwords
    • The Auditor is smart and knows some of the most commonly used passwords, just like the hackers do. It checks each entry for well known and weak passwords. There’s never really a good excuse to use one of these.
  • Similar passwords
    • This is another smart feature of the Auditor, it is able to detect similar passwords, e.g. ‘Princess’ and ‘princess1’. Hackers are aware of these minor variations on a theme, and they should not be used to mask the underlying weakness of your passwords.

All of the above checks can be configured individually on or off, see below under Configuration for further details.

Technical Overview

The Auditor runs in the background at low priority (it’s usually very quick/instantaneous but will depend on the number of entries in your database) so it never gets in your way.

All of the above checks are done completely offline, there is no network activity. It goes without saying that your passwords are never sent to any super smart server for checks. The auditor is smart enough to be able to do this all on your device only. Switch on Airplane mode and give it a try!

Configuration

Of course all of these checks may not suit your usage. So you can configure the individual checks the Auditor performs or just switch the whole feature off entirely. It’s up to you. The configuration screen can be found by tapping the ‘Preferences’ button (little gear icon in the bottom left corner). Tap on ‘Database Auditing’:

The Audit Configuration screen will then appear:

Here you can control the Auditor!

We hope you enjoy the new Audit feature, let us know what you think!

-Mark (Strongbox Founder)

support@strongboxsafe.com

Categories: Audit

Mark McGuill

Strongbox Founder

5 Comments

Dan · April 28, 2020 at 2:56 am

I’m a long time keepass user and new to strongbox. There is a lot about Strongbox to like and I expect after my trial, it will be a keeper. But I would like to suggest a couple of Modifications.

1). I don’t like any program that automatically downloads data by default. So I don’t like that the default is to auto fetch favicons. That seems like an unnecessary security risk. I would suggest the default to be not to download favicons.

2). I’d like the ability to save my view and audit preferences and make them the default for any new database that I load. In fact more than half of the default preferences are not working for me. I use keepass (or strongbox) for more than just passwords and hence I am regularly loading new databases that require me again to alter preferences.

Thanks for listening.

Dan

    Mark McGuill · April 28, 2020 at 12:31 pm

    Hi Dan, thanks for the comment and suggestions.

    1) That’s fair, I hadn’t considered this deeply enough and raced ahead because it was a nice feature I liked. I think the answer here is to ask on first opportunity if user wants to enable this feature with an indicator it involves network traffic. Will add to list and get done. You can track here:

    https://github.com/strongbox-password-safe/Strongbox/issues/330

    2) OK, that’s something I haven’t really considered before. How would you see this working? When adding a database perhaps one could be asked if you want to keep a previous databases settings?

    Cheers!

New Security Audit: ‘Have I Been Pwned?’ – Strongbox · May 6, 2020 at 2:45 pm

[…] been looking forward to for a long time. It finally came time when the Security Audit subsystem was released last week. I hope you’ll enjoy it, find it useful and that it helps make you more […]

Leave a Reply

Your email address will not be published. Required fields are marked *