You can now use Strongbox in Greek. Update your app to version 1.58.3 to take advantage.
A big thank you to John Spiropoulos for providing the Greek localisation.
Let us know which language you would like to see Strongbox support next.
Strongbox is now a universal App. This means it runs on both iOS and macOS, and it also means you only need one license to take advantage of all Pro features on both platforms. This has been a much requested feature, and from a quick glance at our support inbox over the last year, this should massively reduce confusion for most users.
Let’s try to answer the most common questions our users have had over the last week or so as it rolled out.
Strongbox Universal is a single Strongbox App for both iOS and macOS. There is a single App listing in both App Stores and a single Pro license for Pro users.
We released our universal builds on the 28th July 2022.
Strongbox Universal simplifies things, especially for new users. It also simplifies things for existing users who use Strongbox on both platforms.
If you previously paid for a subscription or outright license on iOS, your license now covers macOS as well. Congratulations! 🎉
There are 2 kinds of iOS Pro license you could have, either an In App Purchase Pro license or an Outright Purchase license, depending on how you upgrade. Choose your license below:
This can happen to some Apple IDs, in fact it happened to some of our own during testing… Before you continue as indicated below, make 100% certain that the following is the case:
If that doesn’t work, then you will simply need to click the ‘Purchase’ or ‘Price’ button on the Mac App Store. This can feel a bit scary unfortunately, but you’ll get a couple of popups and warnings and then you’ll get a message saying ‘This Update is Free’. This appears to be an Apple issue with some Apple IDs.
If you previously paid for Pro on macOS, you do not qualify for a free update to the Universal Strongbox app. Your macOS license will continue to work exactly as before, and you will receive updates, new features and bug fixes for life on macOS. If you would like to also use Strongbox Pro on your iOS devices, you could consider purchasing a new subscription or license.
The best source for Strongbox as always is the App Store, and in particular our Freemium distribution here:
https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731
In line with Apple’s App Store guidelines, the Free Trial is part of a Yearly Auto-Renewable subscription. You sign up for the Yearly Pro subscription and you will automatically receive a 3-month free trial before you need to pay for the subcription. You can cancel this subscription at any time, before, during or after the Free Trial.
Zero. Absolutely None. Both apps will remain identical feature wise forever. They will receive updates and features on the same schedule forever. No difference. Apple unfortunately provides no way for us to merge the Apps so we have to support both, which we will continue to do.
There have been no changes to Strongbox Zero, everything remains as before. We do have longer term plans to make a Zero version for macOS, and at that point we will endeavour to make Strongbox Zero and Universal App too.
This is a long story… TLDR: Apple’s App Store does not allow us to hide builds for new users.
There are now 2 recommended ‘Universal’ Apps in the App Store that we recommend for all new users because they will work on both iOS and macOS with a single license:
Strongbox – Freemium In App Purchase – (Universal App for iOS and macOS)
Strongbox – Outright Lifetime Pro – (Universal App for iOS and macOS)
There are also on the macOS App Store the 2 previous Apps for our existing customers who upgrade before Strongbox Universal licensing was possible:
Strongbox Freemium In App Purchase – (Runs on macOS Only)
Strongbox – Outright Lifetime Pro – (Runs on macOS Only)
These are actually two identical copies of Strongbox but they differ in the purchase method.
Both offer the same Pro feature set and same update schedule. The only difference is that you pay upfront immediately for the Outright Purchase and the Icon has a cosmetic Pro tag on it (this is to fit in with Apple HIG/App Store guidelines).
The reason for this is that sometimes business sometimes prefer to buy in volume upfront. Freemium is to allow users to use the limited feature set for free or upgrade easily via In-App Purchase whenever they want to. It is important to know which version you previous purchased, was it up front, or was it an In-App Purchase? Your Apple receipt should say.
Yes, Strongbox is now a universal App, which means it runs on both iOS and macOS, and uses a single license across these platforms.
The license is linked to your Apple ID. So no matter what device you use (iPhone/iPad/Mac), as long as you are signed in with the correct Apple ID, you will have access to Strongbox Pro.
NB: You may need to tap the ‘Restore Purchases’ or ‘Already Purchased‘ button on the Upgrade screen.
Note 1: If you’re not sure which version of Strongbox you have purchased you can click on the links above and you will be able to see in the App Store which one is available for you.
Note 2: If you have previously purchased one of the macOS only apps, then not to worry, you will continue receiving updates and features forever. In July of 2022, we made the required changes to Strongbox to be a ‘Universal App’ meaning it can run on both iOS and macOS platforms and so that is now our recommendation for new users
Note 3: You can change the App icon if you like at any time.
Strongbox (1.55.7) has just been localised into Polish with the help of our wonderful Polish L10n expert! (Dziękuję Łukasz!)
We hope this makes things a little more convenient for you 🙂
Just take me to the 1Password to KeePass migration steps…
We have received much correspondence over the last month or so from some very anxious 1Password users. The news that 1Password is dropping support for local only vaults as well as their decision to go with an Electron based UI has alienated former fans. Fortunately, here at Strongbox, we have no such plans to go with Electron and control over your vaults (we call them “databases”) is kind of our thing. We believe you should own your most important secrets and that not everything needs to be stored or managed in the cloud.
One of the biggest complaints from users coming from the fully managed 1Password environment is how to get your databases from 1Password into Strongbox or even just a more portable format. Previously we had a long set of instructions with exceptions, tricky steps and third-party tools. 1Password has not made it an easy task for other developers to import their vaults. The format of their export files can only be described as a frustrating and chaotic mess. Not to be deterred, we’ve worked hard on deciphering the madness, and now, with the release of Strongbox version 1.16.2 on MacOS, we have a much simpler set of instructions which should lead to a much better experience for 1Password refugees.
Strongbox uses a time tested and super secure, open-source format called KeePass by default to manage its databases. This means there is no lock in. If you decide you don’t like Strongbox, that’s fine, take your vaults to one of the many other KeePass clients available on every platform known to humanity. We’ll work hard though to make sure you like Strongbox.
So, as the founder, I’d just like to welcome you aboard. I hope you’ll like Strongbox, even if you just use it to convert your vaults into nice, friendly, open-source KeePass databases. I hope you’ll decide to stick with Strongbox. We’re a small company and we respect your privacy. We believe you should own and control your secrets, that’s our USP. We also offer a full 90 day free trial of all our Pro features, and after that we even offer a free and slightly more limited version that you can use forever. We hope though that you’ll choose to stick with us. Any feedback you have on the importation/migration process is most welcome. We’ll be adding import support to our iOS app shortly too. So, Welcome aboard!
-Mark
Full Migration Steps are available here.
So what is this Duress PIN thing and how does it work? The name gives it away, let’s look at a dictionary definition of duress:
Note: The Duress PIN Feature is part of the iOS Pro feature set
The idea of a Duress PIN is simply that, if for whatever reason, you are in a bad situation where someone is forcing you to unlock your database, you can enter a different PIN than the correct one, and Strongbox will perform some kind of plausible action but not reveal your passwords/secrets.
You could be a human rights worker entering an authoritarian country with a no real commitment to personal freedoms or perhaps you’re simply someone who likes their privacy and wants to keep their secrets private. Sounds like a simple wish, but once you arrive at the customs port of your destination country, all bets may be off, the enforcers will want what they want or you’re not getting in. Maybe you work in a dangerous part of the world, and you fear some criminal elements may force you to reveal your banking details or similar. Whatever it might be, anyone could find themselves under duress.
So how do I setup my Duress PIN? The first thing you need to do is setup a regular non-duress PIN, what we call a convenience PIN. This allows you to open your Password Database with a short set of digits (like your ATM PIN). To do this, simply:
Next we will want to setup a separate PIN, our Duress PIN. To do so, let’s go back to that PIN Configuration screen:
Once done, you’ll notice that the ‘When Duress PIN Entered‘ section is now enabled and you can choose from the three available options. Let’s have a look at these options in turn and see what they do:
Those are your options, and you’ll need to choose which one suits your particular scenario best. We can’t offer advice on this, only you can decide. Indeed, you will need to decide if you want to use this feature at all. Take a look at our short note of caution below before deciding if using a Duress PIN is something you really want to do. Another option you may consider is to simply remove the database from Strongbox completely during transit in and out of problematic territory. You can re-add your database once you’re safely through that tough jurisdiction, or sticky situation.
A Final Note of Caution
It may actually be illegal or counter productive to enter a duress PIN in some situations, because if you get caught somehow doing this, the relevant forces/legal authorities may consider this as a deceptive act and may take punitive measures against you. This is something you’ll need to consider as part of your particular situation and threat model. It is worth examining how your target jurisdiction will react if you somehow were discovered to be using a Duress PIN in a situation like this. Strongbox only provides this powerful option, the choice then, is entirely yours.
Strongbox now supports WebDAV and SFTP on MacOS. These new storage providers have been much requested because they provide the ability to host your own KeePass database on your own storage, in a way that allows for synchronisation across devices and availability from anywhere on the Internet (if you like).
Note: The WebDAV & SFTP are part of the MacOS Pro feature set
WebDAV and SFTP are public open protocols supported by a wealth of different devices. Indeed SFTP is probably the standard way of transferring files on Linux based systems. Because it is built on top of SSH it is also the most secure way to do this also. WebDAV is an open extension of HTTP, adding new methods like PROPGET and PROPFIND and can sit seamlessly on top of a regular HTTP(S) session. In particular WebDAV is supported by Nextcloud and Owncloud, 2 popular up and coming privacy conscious storage solutions, which allow users to operate or subscribe to their own personal storage solution. Often Nextcloud runs on top of a NAS. Alternatively, many NAS’s support WebDAV and SFTP natively, for example Synology and QNAP provide their own implementations.
If you’re not keen on storing your database on your cloud provider, perhaps a free Dropbox or Google Drive account, but you want the convenience of a centralised location to store your password database, then WebDAV or SFTP could be for you. Strongbox tries to make this straightforward and has supported these protocols on iOS for quite a while. Now these protocols are available on MacOS.
To add a WebDAV or SFTP hosted database to Strongbox, simply:
Strongbox will sync your changes back and forth (merging automatically where necessary). Strongbox also checks if your database has been changed by another process periodically and updates it if so, so you’re always working with the latest version.
We hope you’ll like this feature and that it’ll all be smooth sailing, of course we’d love to hear what you think and if we can improve in any way!
It seems that Synology released an update (version 5.15.0 on April 13th 2021) to their DS File App which appears to be problematic for users who use the “Files” method to sync their databases with Strongbox. Unfortunately we don’t know exactly what Synology have done here, and there’s little we can do to fix things. So we would like to make sure everyone is aware of the best way to perform sync with a Synology device.
Update 13-Sept-2021: We are receiving reports that Synology have now fixed their App. We continue to recommend the methods below.
We always recommend users use either WebDAV or SFTP to sync their databases with their Synology NAS devices as it appears to be a much more reliable method and isn’t prone to getting things out of sync or randomly failing. You can also access your NAS via SFTP/WebDAV using the MacOS version of Strongbox.
A Note on using SMB
Unfortunately there are reports that SMB isn’t very reliable via iOS Files and also suffers from security issues, so using it over the public Internet isn’t recommended.
WebDAV & SFTP – Recommended
So we’ll stick with WebDAV & SFTP. This is all the more pressing now with the release of the broken DS File update. In this article we’ll cover getting WebDAV or SFTP up and running and connecting via Strongbox’s built in WebDAV support.
The authoritative Synology instructions can be found here. In a very short summary you need to:
Some tips/tricks from other users who managed to get WebDAV working on their setups. These may or may not apply to you and haven’t been verified:
The authoritative Synology instructions can be found here. In a very short set of instructions:
There is a good YouTube video which explains the steps to configure your Synology as an SFTP server.
There is a plethora of information in the below video for how to configure your NAS for external connectivity which you may find helpful. It is presented in a friendly and funny way. Worth a look.
Please let us know if we should any other details, or how your experience was with these instructions, so that we can update this article for others.
Recently our founder, Mark, sat down (virtually) for an interview with Aviva Zacks over at Safety Detectives. In this short piece he speaks about the origins of Strongbox, how the threat landscape is looking and the growing need to manage our online lives securely. So, if you’re interested and have a few minutes, why not take a look. You can find the interview here:
https://www.safetydetectives.com/blog/interview-mark-mcguill-strongbox/
Thanks to Aviva and Safety Detectives for reaching out.
Strongbox (1.52.9) has just been localised into Brazilian Portuguese (PT-BR) with the help of our wonderful Brazilian L10n expert! (Obrigado Wolfgang!)
We hope this makes things a little more comfortable for you 🙂
Strongbox on iOS now supports Offline Editing. Previously it was only possible to view your database while offline but now it’s possible to add, remove, edit and reorganise your database while out on that remote hike, on a flight or even just on the Tube.
Offline Editing depends upon our recently released feature Compare & Merge and the ability to maintain an independent local copy of your KeePass (or Password Safe) database with changes, and synchronise with a remote version of your database.
NB: Offline Editing is a Pro only feature (though you can always view a read only copy of your database in the free version).
Strongbox tries to detect when you are offline and immediately offer this option to you, but sometimes you will just want to manually initiate this offline editing process yourself for whatever reason. That’s super easy now. Just long tap on your database and select Open Offline.
This will open Strongbox in Offline mode. This means you can still make all the changes you normally would, or just search for an entry. However, any changes are stored only locally, ready for sync’ing back to your remote storage location whenever you next come online, or perform a sync. If you do have local changes that need to be sync’d you will see an orange icon next to your database on the main Databases List (“Home”) screen. You can always initiate a sync by pulling down on the Databases List or just tapping to unlock the database in question. Strongbox will manage any synchronisation conflicts and present options to merge if required.
This was one of our most requested features so we’re really happy to have been able to get this one out the door. It took a lot of work and relies on some other features that we’re really proud of. We hope you’ll like it, find it useful and that it makes your life a little bit easier.
With the release of Strongbox 1.51.0 comes (finally) the much requested “Advanced Sync” feature. We wrote about this a little in our previous update about Compare & Merge. It is the “Merge” part of this feature where the real magic happens. This is core component that Advanced Sync relies on to perform smart updates so that you don’t lose or overwrite your important data.
Advanced Sync occurs in two directions. When you tap (or pull down) on your database, you “read” the latest version of your database from say Dropbox or your SFTP server for example. It also occurs when you add items or edit your database on your iOS device and push changes (or “write”) to the same remote storage provider.
Advanced Sync checks to see if the remote (e.g. Dropbox) database has been modified or changed from the copy you have “locally” on your device. It’s quite possible if you’ve got a family member or colleague working on the same database, or if you’re working across multiple devices swiftly. This leads to the dreaded “Sync Conflict” scenario. There are two conflicting versions of your database.
Previously you would have no choice but to choose between versions (local or remote) and allow an overwrite to happen. Less than ideal. Worse still, this may just have happened silently and you didn’t even get the option to choose which version to keep.
With Advanced Sync, not only do you get informed that there are differences between your local copy and the remote, but you can view them (this is a Pro feature) and then choose to “Auto-Merge” them (available to all users Free and Pro) so that you keep both sets of changes. The Merge algorithm (described in more detail here) picks the latest changes, archives the older changes in your history and basically just does the right thing, getting out of your way. It won’t force you to pick a version in a confusing fashion either! It really is the best of all possible worlds as an old philosopher once said.
This has been a long requested feature and we believe this kind of functionality is a blessing in a password manager based on flat files and not on a centralised server where someone else owns your data. We hope you’ll agree this is really useful and important.
That’s it from us, it’s been a busy period of development (apologies for the flurry of updates recently!) and getting these changes out the door is not as smooth a process as we always hope. Thanks for putting up with these changes and please feel free to share this article if you think it will be of interest to anyone.
Coming Soon: We’ll talk a little about Offline Editing, our latest and (possibly) greatest feature!
Strongbox (1.52.0) has just been localized into Dutch with the help of a wonderfully dedicated volunteer (Thank you!)
We hope this makes things a lot more comfortable and apologies for the delay in getting this out the door!
A key component required for developing the Advanced Sync feature (coming soon) is the ability to compare databases and then to merge them. It’s quite a big feature and the development work is quite large. Since Advanced Sync is our number one development priority we’ve been deep in the code caves working on it for quite a while. Apologies if it looks like we’ve been slacking off!
With the release of version 1.50.13 on iOS we decided to not only add this functionality but also to make it available in a friendly UI. So no more flying blind when you’ve got 2 slightly out of sync copies of your databases. Just fire up Strongbox, select Compare & Merge from the context menu and let it do the hard work of comparing all entries. Optionally then you can choose to merge the databases so that you have the latest entries, edits and moves from both.
NB: The Compare feature is a Pro feature only. Advanced Sync (see below) will be available for free as we believe it’s just bad news for everyone in the password management world if we have out of sync databases promulgating.
Let’s take a look at this new feature briefly. One of the most common ways you can get out of sync versions is when you have multiple “editors”. Perhaps you are sharing your database with your partner Mary. Let’s say Mary goes off on a nice hike and (for some reason) decides to cleanup or re-organise your shared database. Meanwhile around the same time, you are at home and you just found a cool new bookshop which you signed up to immediately. Of course you diligently entered your login details into your Strongbox database. Well now we have arrived at that dreaded out of sync situation… What do these two databases look like? Let’s see an illustrative example.
Ruh roh… This is less than ideal. Joe has added his new favourite bookshop, Waterstones, to the database. Meanwhile Mary has been tidying up the database, moving entries around and creating a nice group structure. Ideally we really don’t want to lose any of these changes!
Well that’s where the new Compare & Merge feature comes in super handy! Let’s say Mary gets back and now you both realise your databases are out of sync. No problem! Let’s get Mary’s copy on to our devices and get the process started.
We tap and hold our database and select ‘Compare & Merge’ then follow the instructions on screen.
Finally we get to the comparison screen. As you can see Strongbox has figured out what changes were made by Mary and the changes necessary to bring your database up to speed with all of her changes. You can see she has moved a number of items around (you can even drill down and find out to where) and created a number of groups.
If you’re happy with all these changes you can go ahead and tap Merge to have Strongbox perform these moves, additions and edits. So that’s it! Here’s what that looks like after the Merge.
That’s all there is to it really. There is a ton of complexity hidden behind this pretty UI but we hope that’s what you’ve come to expect of Strongbox. Now a short word on our next major feature, Advanced Sync, which automates this process, and which we promise is coming really soon!
As you have probably guessed the same algorithm that is used for comparing and merging your databases intelligently can be used and automated when Strongbox detects your local and remote databases have gotten out of sync. Advanced Sync depends on this smart/intelligent algorithm and so that’s why this latest feature ‘Compare & Merge’ has come first. It’s a little more awkward to setup a merge because you need to add the other version of the database. We feel it was worth making this it’s own feature though. You never know when you’ll need to compare databases! Advanced Sync will seamlessly integrate this feature into the already extensive Sync architecture of Strongbox. Fingers crossed you’ll never see another out of date version of your database again.
Compare & Merge is a super handy tool for your databases. It should give you the confidence you need to perform merges and perhaps even figure out how you ended up in the non synchronised state in the first place. The process will be more automated as part of your regular Strongbox sync in the coming weeks so you might come across this and appreciate it completely serendipitously… We hope you’ll like it! 🙂
Lastly if you liked this article or you think this is a cool feature, please feel free to share it on social media or with your friends and family.
Strongbox has just been localized into Czech with the help of S474N who managed the localization in record time and has done a wondeful job, we hope you’ll agree!
Czech (😅) it out!
As of version 1.49.24 on iOS and coming soon on Mac, Strongbox is now localized in Japanese and available to all users in Japan! We hope you’ll like it. 🙂
We know that KeePass is super popular in Japan and Japanese users are early adopters and power users of password managers and computer security in general, so we’re proud to finally offer a much more native experience. Please let us know what you think!
We’d love to add more languages and are always looking for help and suggestions, so please get in touch if you’d like to see Strongbox in your language!
Arrigato! ありがとうございました
With the release of version 1.49.23 on iOS today, Strongbox now offers the possibility of creating Virtual Hardware Key’s. These are software implementations of the popular hardware tokens from various vendors. Strongbox already supports hardware keys over NFC and Lightning in the Pro edition.
Virtual Hardware Keys are a new feature of Strongbox available to all, free, for life. If you like Strongbox, consider supporting us by purchasing a subscription or license.
While using a hardware token provides an excellent extra factor for encrypting your KeePass databases, there are (or were!) some downsides that really put a dampener on adoption of a hardware key as a second (or third) factor. One of the main blockers is the lack of support for NFC and Lightning in AutoFill mode. Apple does not allow NFC to be used in App Extensions (the technical term for the execution context of the Strongbox AutoFill component). Some vendors do not offer library support for Lightning (MFI) in App Extensions. This has led to a suboptimal situation whereby you can use your hardware key in the main Strongbox app, but you cannot use the extremely convenient iOS AutoFill feature.
Enter the new Strongbox feature, Virtual Hardware Keys. You can create a Virtual Hardware Key within Strongbox which is a software simulation of the process that takes place on your hardware key, technically a HMAC-SHA1 digest. To do this you will need the secret you programmed your hardware key with originally (something you will or should have stored somewhere very secure in case of device loss). Using this secret Strongbox can mimic your hardware key in software. Strongbox stores this secret securely in the Secure Enclave on your device.
There are two main scenarios in which you’ll want to use a Virtual Hardware Key. Let’s deal with them in turn…
As mentioned above, you cannot use a hardware key in iOS AutoFill mode due to system limitations. This led many to abandon a hardware key as a second factor on iOS. Because Virtual Hardware Keys are entirely software based, you can use them in AutoFill mode. Further, you can specify that a hardware key is required in the regular Main app (used to edit and provide full access to your database) but that a Virtual Hardware Key should be used in AutoFill mode providing super quick and convenient access to your passwords within other Apps. Both hardware and virtual hardware keys can work on the same database seamlessly.
While using a hardware token to secure your database provides an excellent level of security, it is very possible to lock yourself out of your database by losing the physical key. Once that’s done, there’s no way to unlock your database unless you have the original secret used to program your key. That’s why, in our setup instructions, we recommend you keep this secret somewhere secure (like a safe in your house and/or offsite).
Now with Virtual Hardware Key support you can use this secret if you lose your hardware token to create a new Virtual Hardware Key and recover your database.
See our help article on how to create a Virtual Hardware Key for AutoFill mode or disaster recovery.
* This work was inspired by the problems and solutions discovered while adding full YubiKey support to Strongbox. Kudos to everyone on Github for their help.
With iOS version 1.48.3 (Pro) Strongbox now adds support for checking your passwords against the online ‘Have I Been Pwned?’ service.
Have I Been Pwned? is an online service that monitors and collects hacked credentials that are being trafficked in hacker underground communities and the dark web. It collects and collates these security breaches so that it can notify users if their account has become compromised. The site is run by renowned computer security and technology consultant Troy Hunt.
One particular element of the service allows you to check (in a secure way) whether a password appears in an enormous collection (more than 500 million) of known passwords. You can check an individual password here.
Strongbox uses the same API/Service to check your passwords and if they are known to be compromised to indicate this in the UI. This is an opt-in feature which is off by default. Read on for more details.
NB: This is a Pro feature only, it is not available in the free version of Strongbox.
Pwned is online Internet slang which is a corruption of the word “Owned”. So what does “Owned” mean? Owned in the context of computer security or hacker culture basically means a system or in this case, a password, is completely compromised. It is known and provides no protection against an adversary. For more entertainment see the Urban Dictionary definition.
Since this feature is off by default you will need to navigate to Database Auditing preferences to try it out.
If this is your first time using the Have I Been Pwned? audit, you will be presented with a caveat/disclaimer to be certain your are comfortable with using this feature. You will need to accept this to move on.
As with all other audits if Strongbox finds a problem it will indicate it in the UI with an orange “Shield” icon, see the example below:
Once this feature is switched on Strongbox will gather your database passwords and securely check them by making a call to the online service. If you are interested in the technical/security aspects of this please read the How Secure is This? section below.
Since this is an online feature Strongbox will securely cache any compromised passwords so that you don’t have to be online to know which passwords have been marked as compromised on subsequent opens. Strongbox also will check the service at most once per day by default (this is configurable) to save network traffic.
One of the first questions people usually ask is how does this work, how can it possibly be secure? After all, to check my passwords don’t you have to send them to this service over the Internet?
The surprising answer to this question is No. Using some straightforward encryption techniques and a method called call k-anonymity this task can be performed while providing some very strong security guarantees. You can read more about the development and implementation of this system on Have I Been Pwned. In short the process works like this:
Procedure
Note that all this takes place over HTTPS.
The Attackers Point of View
Let’s assume that an attacker somehow managed to compromise your secure connection (not an easy task) and can see your network traffic directly. Only the 5-digit prefix (21BD1) is visible. This is 20 bits of a 160 bit hash, leaving an enormous search space of 2^140 possible matching hashes. A pretty hopeless task.
The attacker also has no way of knowing if your password is compromised or not by looking at the response. There are roughly 800-1000 hash suffixes returned in each response and it cannot be assumed your password is in this list. Indeed if it is, Strongbox will let you know and you can then act to change it in short order.
This has been a much requested feature and one I’ve been looking forward to for a long time. It finally came time when the Security Audit subsystem was released last week. I hope you’ll enjoy it, find it useful and that it helps make you more secure.
Of course I’d be very interested to hear any stories of the system finding something for you, or if you have any questions, comments or concerns.
A brand new and very handy Audit feature has just been released to the App Store! Here’s a little more detail on this much request feature.
The Audit feature is designed to detect and highlight weak or compromised passwords so that you can take whatever action you feel is necessary to maintain your security. The Audit is performed by a new component imaginatively named the Auditor. When you unlock your database using your master credentials (or Face ID/PIN code), the auditor begins checking your entries for weaknesses. If it finds an issue it highlights it in the UI like this:
The Auditor checks for 4 types or categories of weak passwords:
All of the above checks can be configured individually on or off, see below under Configuration for further details.
The Auditor runs in the background at low priority (it’s usually very quick/instantaneous but will depend on the number of entries in your database) so it never gets in your way.
All of the above checks are done completely offline, there is no network activity. It goes without saying that your passwords are never sent to any super smart server for checks. The auditor is smart enough to be able to do this all on your device only. Switch on Airplane mode and give it a try!
Of course all of these checks may not suit your usage. So you can configure the individual checks the Auditor performs or just switch the whole feature off entirely. It’s up to you. The configuration screen can be found by tapping the ‘Preferences’ button (little gear icon in the bottom left corner). Tap on ‘Database Auditing’:
The Audit Configuration screen will then appear:
Here you can control the Auditor!
We hope you enjoy the new Audit feature, let us know what you think!
-Mark (Strongbox Founder)