The Most Secure Password Manager, Now Available on macOS (Strongbox Zero)

Strongbox Zero, the local-only version of Strongbox previously only available on iOS, is now available on macOS as well!

Strongbox Zero is a completely separate version of Strongbox that provides the absolute maximum level of privacy and security. All the networking code and as many third party libraries as possible have been stripped out of Zero. It is designed for the most extreme privacy and security conscious users and we don’t recommend it for most people!

With the release of the macOS version of Strongbox Zero, it’s now possible to use the app on Macs, iPhones and iPads for a single price. And all future updates will be included at no extra cost. The license even works with Apple’s Family Sharing.

And if you previously purchased Zero on iOS, you can download the new Mac app for free.

You can download Strongbox Zero here.

And for more details about Strongbox Zero, check out our help articles:

CVE-2023-24055 Vulnerability Update

Security researchers have recently discovered a vulnerability in the Windows KeePass app that could allow attackers to obtain stored passwords in cleartext. The bug has been dubbed CVE-2023-24055.

The Strongbox app is not affected by this vulnerability. Which means that if you use Strongbox to work with your KeePass databases you’re protected.

The exploit is based on an attacker being able to edit a configuration file and set up a trigger that silently exports entries from the KeePass database. Strongbox is architected so that configuration files can not be edited by an attacker in this manner.

The Strongbox team is monitoring the situation and will respond if there are any further developments.

🇬🇷 Καλώς ήρθες Ελλάδα!

You can now use Strongbox in Greek. Update your app to version 1.58.3 to take advantage.

A big thank you to John Spiropoulos for providing the Greek localisation.

Let us know which language you would like to see Strongbox support next.

Introducing Strongbox Universal

Strongbox is now a universal App. This means it runs on both iOS and macOS, and it also means you only need one license to take advantage of all Pro features on both platforms. This has been a much requested feature, and from a quick glance at our support inbox over the last year, this should massively reduce confusion for most users.

Let’s try to answer the most common questions our users have had over the last week or so as it rolled out.

What is Strongbox Universal

Strongbox Universal is a single Strongbox App for both iOS and macOS. There is a single App listing in both App Stores and a single Pro license for Pro users.

When did this happen?

We released our universal builds on the 28th July 2022.

Why did you unify your Apps between iOS and Mac?

Strongbox Universal simplifies things, especially for new users. It also simplifies things for existing users who use Strongbox on both platforms.

I already paid for Strongbox Pro on iOS, how do I get Pro on my Mac?

If you previously paid for a subscription or outright license on iOS, your license now covers macOS as well. Congratulations! 🎉

There are 2 kinds of iOS Pro license you could have, either an In App Purchase Pro license or an Outright Purchase license, depending on how you upgrade. Choose your license below:

I have an iOS Pro license that I purchased In App
  1. Make sure you are signed in using the right Apple ID on the Mac App Store
  2. Download Universal Strongbox here
  3. Strongbox may instantly detect your iOS license, but you might need to help it out. Go to the Upgrade screen (Strongbox > Upgrade) and click ‘Already Purchased’.
  4. You now have access to Strongbox Pro on macOS
I have an Outright iOS Pro license
  1. Make sure you are signed in using the right Apple ID on the Mac App Store
  2. Download Universal Strongbox (Outright) here (NB: It should be immediately available to you without charge. See below if you see a Price instead of a Cloud icon)
  3. You now have access to Strongbox Pro on macOS
I have an Outright iOS Pro license, but I see a Price beside the Outright Pro App on the Mac

This can happen to some Apple IDs, in fact it happened to some of our own during testing… Before you continue as indicated below, make 100% certain that the following is the case:

  1. You are absolutely certain you are signed in with the same correct Apple ID on both iOS and macOS – This is often the problem
  2. You are 100% definitely looking at this App on the App Store, and it is showing as:
  • On your iOS device as purchased
  • On your macOS device as not purchased

If that doesn’t work, then you will simply need to click the ‘Purchase’ or ‘Price’ button on the Mac App Store. This can feel a bit scary unfortunately, but you’ll get a couple of popups and warnings and then you’ll get a message saying ‘This Update is Free’. This appears to be an Apple issue with some Apple IDs.

I have Strongbox Pro on Mac, what happens now?

If you previously paid for Pro on macOS, you do not qualify for a free update to the Universal Strongbox app. Your macOS license will continue to work exactly as before, and you will receive updates, new features and bug fixes for life on macOS. If you would like to also use Strongbox Pro on your iOS devices, you could consider purchasing a new subscription or license.

Where can I get Strongbox Universal?

The best source for Strongbox as always is the App Store, and in particular our Freemium distribution here:

https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731

How does the 3 Month Free Trial Work

In line with Apple’s App Store guidelines, the Free Trial is part of a Yearly Auto-Renewable subscription. You sign up for the Yearly Pro subscription and you will automatically receive a 3-month free trial before you need to pay for the subcription. You can cancel this subscription at any time, before, during or after the Free Trial.

Is there any difference on macOS between the new Universal Apps and the previous macOS Apps?

Zero. Absolutely None. Both apps will remain identical feature wise forever. They will receive updates and features on the same schedule forever. No difference. Apple unfortunately provides no way for us to merge the Apps so we have to support both, which we will continue to do.

What about Strongbox Zero?

There have been no changes to Strongbox Zero, everything remains as before. We do have longer term plans to make a Zero version for macOS, and at that point we will endeavour to make Strongbox Zero and Universal App too.

Why are there 4 versions of Strongbox on the Mac App Store?

This is a long story… TLDR: Apple’s App Store does not allow us to hide builds for new users.

There are now 2 recommended ‘Universal’ Apps in the App Store that we recommend for all new users because they will work on both iOS and macOS with a single license:

Strongbox – Freemium In App Purchase – (Universal App for iOS and macOS)
Strongbox – Outright Lifetime Pro – (Universal App for iOS and macOS)

Older macOS Standalone Versions

There are also on the macOS App Store the 2 previous Apps for our existing customers who upgrade before Strongbox Universal licensing was possible:

Strongbox Freemium In App Purchase – (Runs on macOS Only)
Strongbox – Outright Lifetime Pro – (Runs on macOS Only)

Freemium In App Purchase vs Outright Pro – What’s the Difference?

These are actually two identical copies of Strongbox but they differ in the purchase method.

  • The Freemium version (allowing for a subscription based upgrade to Pro via In App Purchase)
  • The Outright Lifetime Pro version (where you purchase up front in the App Store)

Both offer the same Pro feature set and same update schedule. The only difference is that you pay upfront immediately for the Outright Purchase and the Icon has a cosmetic Pro tag on it (this is to fit in with Apple HIG/App Store guidelines).

The reason for this is that sometimes business sometimes prefer to buy in volume upfront. Freemium is to allow users to use the limited feature set for free or upgrade easily via In-App Purchase whenever they want to. It is important to know which version you previous purchased, was it up front, or was it an In-App Purchase? Your Apple receipt should say.

Will the Pro Version or License Work on All of My Devices (iPhone, iPad and Mac)?

Yes, Strongbox is now a universal App, which means it runs on both iOS and macOS, and uses a single license across these platforms.

The license is linked to your Apple ID. So no matter what device you use (iPhone/iPad/Mac), as long as you are signed in with the correct Apple ID, you will have access to Strongbox Pro.

NB: You may need to tap the ‘Restore Purchases’ or ‘Already Purchased‘ button on the Upgrade screen.

Notes

Note 1: If you’re not sure which version of Strongbox you have purchased you can click on the links above and you will be able to see in the App Store which one is available for you.

Note 2: If you have previously purchased one of the macOS only apps, then not to worry, you will continue receiving updates and features forever. In July of 2022, we made the required changes to Strongbox to be a ‘Universal App’ meaning it can run on both iOS and macOS platforms and so that is now our recommendation for new users

Note 3: You can change the App icon if you like at any time.

🇵🇱 Witaj Polsko!

Strongbox (1.55.7) has just been localised into Polish with the help of our wonderful Polish L10n expert! (Dziękuję Łukasz!)

We hope this makes things a little more convenient for you 🙂

Welcome 1Password Refugees

Just take me to the 1Password to KeePass migration steps…

Introduction

We have received much correspondence over the last month or so from some very anxious 1Password users. The news that 1Password is dropping support for local only vaults as well as their decision to go with an Electron based UI has alienated former fans. Fortunately, here at Strongbox, we have no such plans to go with Electron and control over your vaults (we call them “databases”) is kind of our thing. We believe you should own your most important secrets and that not everything needs to be stored or managed in the cloud.

The Migration Frustration

One of the biggest complaints from users coming from the fully managed 1Password environment is how to get your databases from 1Password into Strongbox or even just a more portable format. Previously we had a long set of instructions with exceptions, tricky steps and third-party tools. 1Password has not made it an easy task for other developers to import their vaults. The format of their export files can only be described as a frustrating and chaotic mess. Not to be deterred, we’ve worked hard on deciphering the madness, and now, with the release of Strongbox version 1.16.2 on MacOS, we have a much simpler set of instructions which should lead to a much better experience for 1Password refugees.

Open Source Databases not Managed Cloud Vaults

Strongbox uses a time tested and super secure, open-source format called KeePass by default to manage its databases. This means there is no lock in. If you decide you don’t like Strongbox, that’s fine, take your vaults to one of the many other KeePass clients available on every platform known to humanity. We’ll work hard though to make sure you like Strongbox.

Conclusion & Feedback

So, as the founder, I’d just like to welcome you aboard. I hope you’ll like Strongbox, even if you just use it to convert your vaults into nice, friendly, open-source KeePass databases. I hope you’ll decide to stick with Strongbox. We’re a small company and we respect your privacy. We believe you should own and control your secrets, that’s our USP. We also offer a full 90 day free trial of all our Pro features, and after that we even offer a free and slightly more limited version that you can use forever. We hope though that you’ll choose to stick with us. Any feedback you have on the importation/migration process is most welcome. We’ll be adding import support to our iOS app shortly too. So, Welcome aboard!

-Mark

Full Migration Steps are available here.

WebDAV and SFTP Now Available on macOS

Strongbox now supports WebDAV and SFTP on macOS. These new storage providers have been much requested because they provide the ability to host your own KeePass database on your own storage, in a way that allows for synchronisation across devices and availability from anywhere on the Internet (if you like).

Note: The WebDAV & SFTP are part of the macOS Pro feature set

WebDAV and SFTP are public open protocols supported by a wealth of different devices. Indeed SFTP is probably the standard way of transferring files on Linux based systems. Because it is built on top of SSH it is also the most secure way to do this also. WebDAV is an open extension of HTTP, adding new methods like PROPGET and PROPFIND and can sit seamlessly on top of a regular HTTP(S) session. In particular WebDAV is supported by Nextcloud and Owncloud, 2 popular up and coming privacy conscious storage solutions, which allow users to operate or subscribe to their own personal storage solution. Often Nextcloud runs on top of a NAS. Alternatively, many NAS’s support WebDAV and SFTP natively, for example Synology and QNAP provide their own implementations.

If you’re not keen on storing your database on your cloud provider, perhaps a free Dropbox or Google Drive account, but you want the convenience of a centralised location to store your password database, then WebDAV or SFTP could be for you. Strongbox tries to make this straightforward and has supported these protocols on iOS for quite a while. Now these protocols are available on macOS.

To add a WebDAV or SFTP hosted database to Strongbox, simply:

  1. Launch Strongbox and bring up the Databases Manager window (Command + D).
  2. Tap the ‘Add Database…‘ button in the bottom right hand corner and select WebDAV or SFTP as preferred
  3. You’ll now be prompted to enter the location of your server, and authentication information. Tap Connect when done.
  4. Once successfully authenticated against your server you can start to browse your files and folders.
  5. Locate your database, and tap Select.
  6. You should now have added this database and you’ll be presented with the Unlock screen.
Strongbox SFTP Setup – Browsing for a database on macOS

Strongbox will sync your changes back and forth (merging automatically where necessary). Strongbox also checks if your database has been changed by another process periodically and updates it if so, so you’re always working with the latest version.

We hope you’ll like this feature and that it’ll all be smooth sailing, of course we’d love to hear what you think and if we can improve in any way!

Syncing With a Synology NAS

It seems that Synology released an update (version 5.15.0 on April 13th 2021) to their DS File App which appears to be problematic for users who use the “Files” method to sync their databases with Strongbox. Unfortunately we don’t know exactly what Synology have done here, and there’s little we can do to fix things. So we would like to make sure everyone is aware of the best way to perform sync with a Synology device.

Update 13-Sept-2021: We are receiving reports that Synology have now fixed their App. We continue to recommend the methods below.

Recommended Methods

We always recommend users use either WebDAV or SFTP to sync their databases with their Synology NAS devices as it appears to be a much more reliable method and isn’t prone to getting things out of sync or randomly failing. You can also access your NAS via SFTP/WebDAV using the MacOS version of Strongbox.

A Note on using SMB

Unfortunately there are reports that SMB isn’t very reliable via iOS Files and also suffers from security issues, so using it over the public Internet isn’t recommended.

WebDAV & SFTP – Recommended

So we’ll stick with WebDAV & SFTP. This is all the more pressing now with the release of the broken DS File update. In this article we’ll cover getting WebDAV or SFTP up and running and connecting via Strongbox’s built in WebDAV support.

WebDAV

The authoritative Synology instructions can be found here. In a very short summary you need to:

  1. Log in to the Disk Station Manager or DSM with an account belonging to the administrators group.
  2. Go to Package Center to install WebDAV Server.
  3. Launch WebDAV Server and check Enable HTTPS checkbox. You can customise the port number if you like.
  4. Save the settings.
  5. To access from Strongbox, choose Add Existing Database
  6. Choose WebDAV
  7. Enter the IP address or the hostname of your Synology NAS followed by a colon followed by the port number (usually 5006 but may be different depending on how you have configured it). For example: https://my.host.com:5006
  8. Enter your username/password.
  9. You may not have configured a fully functional certificate (we would recommend that you do, you could use Lets Encrypt for example), if your certificate isn’t valid, then tick the ‘Allow Untrusted Certificate’ checkbox in Strongbox.
  10. All going well you should now be able to browse your file system for your password database.
  11. Finally add that database and you’re all set!

Some tips/tricks from other users who managed to get WebDAV working on their setups. These may or may not apply to you and haven’t been verified:

  • Ensure that the correct WebDAV port number is used in the URL/Address you enter
  • Make sure the WebDAV port is enabled in the Synology’s firewall
  • Make sure the WebDAV port is forwarded on the router if accessing remotely
  • Ensure Synology user account has WebDAV permissions
  • If using your own (untrusted) SSL certificate, ensure “Allow Untrusted Certificate” is enabled
  • In some cases you may need to append /home to your WebDAV URL. See here for more details.
  • Ensure the user password does not have any special characters if you are getting authentication errors
  • TLS/ SSL Profile Levels at “Modern compatibility” seem to work but you may want to change this if you have trouble.

SFTP

The authoritative Synology instructions can be found here. In a very short set of instructions:

  1. Log in to the Disk Station Manager or DSM with an account belonging to the administrators group.
  2. Click on Control Panel
  3. Click on File Services
  4. Click on the FTP tab
  5. Scroll down to the SFTP Section and enable
  6. Now, SFTP is live. We just need to make sure that a user is able to access the SFTP service. You can do this under Control Panel also. Select the Users component and create or ensure your user has SFTP access.
  7. To access from Strongbox, choose Add Existing Database
  8. Choose SFTP
  9. Enter the IP address or the hostname of your Synology NAS.
  10. Enter your username/password.
  11. All going well you should now be able to browse your file system for your password database.
  12. Finally add that database and you’re all set!

There is a good YouTube video which explains the steps to configure your Synology as an SFTP server.

Other Helpful Hints, Tips and Tricks

There is a plethora of information in the below video for how to configure your NAS for external connectivity which you may find helpful. It is presented in a friendly and funny way. Worth a look.

Please let us know if we should any other details, or how your experience was with these instructions, so that we can update this article for others.

Interview with Strongbox Founder on Safety Detectives

Recently our founder, Mark, sat down (virtually) for an interview with Aviva Zacks over at Safety Detectives. In this short piece he speaks about the origins of Strongbox, how the threat landscape is looking and the growing need to manage our online lives securely. So, if you’re interested and have a few minutes, why not take a look. You can find the interview here:

https://www.safetydetectives.com/blog/interview-mark-mcguill-strongbox/

Thanks to Aviva and Safety Detectives for reaching out.

Offline Editing

Strongbox on iOS now supports Offline Editing. Previously it was only possible to view your database while offline but now it’s possible to add, remove, edit and reorganise your database while out on that remote hike, on a flight or even just on the Tube.

Offline Editing depends upon our recently released feature Compare & Merge and the ability to maintain an independent local copy of your KeePass (or Password Safe) database with changes, and synchronise with a remote version of your database.

NB: Offline Editing is a Pro only feature (though you can always view a read only copy of your database in the free version).

Strongbox tries to detect when you are offline and immediately offer this option to you, but sometimes you will just want to manually initiate this offline editing process yourself for whatever reason. That’s super easy now. Just long tap on your database and select Open Offline.

You can always edit offline by selecting Open Offline from the context menu
The orange icon indicates that there are pending changes to be sync’d to your remote storage location.

This will open Strongbox in Offline mode. This means you can still make all the changes you normally would, or just search for an entry. However, any changes are stored only locally, ready for sync’ing back to your remote storage location whenever you next come online, or perform a sync. If you do have local changes that need to be sync’d you will see an orange icon next to your database on the main Databases List (“Home”) screen. You can always initiate a sync by pulling down on the Databases List or just tapping to unlock the database in question. Strongbox will manage any synchronisation conflicts and present options to merge if required.

This was one of our most requested features so we’re really happy to have been able to get this one out the door. It took a lot of work and relies on some other features that we’re really proud of. We hope you’ll like it, find it useful and that it makes your life a little bit easier.

Advanced Sync and Auto-Merge (iOS)

With the release of Strongbox 1.51.0 comes (finally) the much requested “Advanced Sync” feature. We wrote about this a little in our previous update about Compare & Merge. It is the “Merge” part of this feature where the real magic happens. This is core component that Advanced Sync relies on to perform smart updates so that you don’t lose or overwrite your important data.

Advanced Sync occurs in two directions. When you tap (or pull down) on your database, you “read” the latest version of your database from say Dropbox or your SFTP server for example. It also occurs when you add items or edit your database on your iOS device and push changes (or “write”) to the same remote storage provider.

Advanced Sync checks to see if the remote (e.g. Dropbox) database has been modified or changed from the copy you have “locally” on your device. It’s quite possible if you’ve got a family member or colleague working on the same database, or if you’re working across multiple devices swiftly. This leads to the dreaded “Sync Conflict” scenario. There are two conflicting versions of your database.

Previously you would have no choice but to choose between versions (local or remote) and allow an overwrite to happen. Less than ideal. Worse still, this may just have happened silently and you didn’t even get the option to choose which version to keep.

Sync Conflict Scenario – Now with option to Auto-Merge

With Advanced Sync, not only do you get informed that there are differences between your local copy and the remote, but you can view them (this is a Pro feature) and then choose to “Auto-Merge” them (available to all users Free and Pro) so that you keep both sets of changes. The Merge algorithm (described in more detail here) picks the latest changes, archives the older changes in your history and basically just does the right thing, getting out of your way. It won’t force you to pick a version in a confusing fashion either! It really is the best of all possible worlds as an old philosopher once said.

This has been a long requested feature and we believe this kind of functionality is a blessing in a password manager based on flat files and not on a centralised server where someone else owns your data. We hope you’ll agree this is really useful and important.

That’s it from us, it’s been a busy period of development (apologies for the flurry of updates recently!) and getting these changes out the door is not as smooth a process as we always hope. Thanks for putting up with these changes and please feel free to share this article if you think it will be of interest to anyone.

Coming Soon: We’ll talk a little about Offline Editing, our latest and (possibly) greatest feature!

Hallo Nederland! – Strongbox now available in Dutch

Strongbox (1.52.0) has just been localized into Dutch with the help of a wonderfully dedicated volunteer (Thank you!)

We hope this makes things a lot more comfortable and apologies for the delay in getting this out the door!

Compare & Merge (iOS)

A key component required for developing the Advanced Sync feature (coming soon) is the ability to compare databases and then to merge them. It’s quite a big feature and the development work is quite large. Since Advanced Sync is our number one development priority we’ve been deep in the code caves working on it for quite a while. Apologies if it looks like we’ve been slacking off!

With the release of version 1.50.13 on iOS we decided to not only add this functionality but also to make it available in a friendly UI. So no more flying blind when you’ve got 2 slightly out of sync copies of your databases. Just fire up Strongbox, select Compare & Merge from the context menu and let it do the hard work of comparing all entries. Optionally then you can choose to merge the databases so that you have the latest entries, edits and moves from both.

NB: The Compare feature is a Pro feature only. Advanced Sync (see below) will be available for free as we believe it’s just bad news for everyone in the password management world if we have out of sync databases promulgating.

Scenario – Mary & Joe and their shared database

Let’s take a look at this new feature briefly. One of the most common ways you can get out of sync versions is when you have multiple “editors”. Perhaps you are sharing your database with your partner Mary. Let’s say Mary goes off on a nice hike and (for some reason) decides to cleanup or re-organise your shared database. Meanwhile around the same time, you are at home and you just found a cool new bookshop which you signed up to immediately. Of course you diligently entered your login details into your Strongbox database. Well now we have arrived at that dreaded out of sync situation… What do these two databases look like? Let’s see an illustrative example.

Joe found a new bookshop…
Mary’s been busy organising!

Ruh roh… This is less than ideal. Joe has added his new favourite bookshop, Waterstones, to the database. Meanwhile Mary has been tidying up the database, moving entries around and creating a nice group structure. Ideally we really don’t want to lose any of these changes!

Well that’s where the new Compare & Merge feature comes in super handy! Let’s say Mary gets back and now you both realise your databases are out of sync. No problem! Let’s get Mary’s copy on to our devices and get the process started.

We tap and hold our database and select ‘Compare & Merge’ then follow the instructions on screen.

Get started by tapping Compare & Merge
Comparison

Finally we get to the comparison screen. As you can see Strongbox has figured out what changes were made by Mary and the changes necessary to bring your database up to speed with all of her changes. You can see she has moved a number of items around (you can even drill down and find out to where) and created a number of groups.

If you’re happy with all these changes you can go ahead and tap Merge to have Strongbox perform these moves, additions and edits. So that’s it! Here’s what that looks like after the Merge.

After Merge

That’s all there is to it really. There is a ton of complexity hidden behind this pretty UI but we hope that’s what you’ve come to expect of Strongbox. Now a short word on our next major feature, Advanced Sync, which automates this process, and which we promise is coming really soon!

Advanced Sync – Coming Soon

As you have probably guessed the same algorithm that is used for comparing and merging your databases intelligently can be used and automated when Strongbox detects your local and remote databases have gotten out of sync. Advanced Sync depends on this smart/intelligent algorithm and so that’s why this latest feature ‘Compare & Merge’ has come first. It’s a little more awkward to setup a merge because you need to add the other version of the database. We feel it was worth making this it’s own feature though. You never know when you’ll need to compare databases! Advanced Sync will seamlessly integrate this feature into the already extensive Sync architecture of Strongbox. Fingers crossed you’ll never see another out of date version of your database again.

Conclusion

Compare & Merge is a super handy tool for your databases. It should give you the confidence you need to perform merges and perhaps even figure out how you ended up in the non synchronised state in the first place. The process will be more automated as part of your regular Strongbox sync in the coming weeks so you might come across this and appreciate it completely serendipitously… We hope you’ll like it! 🙂

Lastly if you liked this article or you think this is a cool feature, please feel free to share it on social media or with your friends and family.

Ahoj Česko! Hello Czech Speakers

Strongbox has just been localized into Czech with the help of S474N who managed the localization in record time and has done a wondeful job, we hope you’ll agree!

Czech (😅) it out!

Konnichiwa Japan! -こんにちは日本

As of version 1.49.24 on iOS and coming soon on Mac, Strongbox is now localized in Japanese and available to all users in Japan! We hope you’ll like it. 🙂

We know that KeePass is super popular in Japan and Japanese users are early adopters and power users of password managers and computer security in general, so we’re proud to finally offer a much more native experience. Please let us know what you think!

We’d love to add more languages and are always looking for help and suggestions, so please get in touch if you’d like to see Strongbox in your language!

Arrigato! ありがとうございました

Introducing Virtual Hardware Keys

Introduction

With the release of version 1.49.23 on iOS today, Strongbox now offers the possibility of creating Virtual Hardware Key’s. These are software implementations of the popular hardware tokens from various vendors. Strongbox already supports hardware keys over NFC and Lightning in the Pro edition.

Virtual Hardware Keys are a new feature of Strongbox available to all, free, for life. If you like Strongbox, consider supporting us by purchasing a subscription or license.

The Problem with Hardware Only Keys on iOS

While using a hardware token provides an excellent extra factor for encrypting your KeePass databases, there are (or were!) some downsides that really put a dampener on adoption of a hardware key as a second (or third) factor. One of the main blockers is the lack of support for NFC and Lightning in AutoFill mode. Apple does not allow NFC to be used in App Extensions (the technical term for the execution context of the Strongbox AutoFill component). Some vendors do not offer library support for Lightning (MFI) in App Extensions. This has led to a suboptimal situation whereby you can use your hardware key in the main Strongbox app, but you cannot use the extremely convenient iOS AutoFill feature.

Enter the new Strongbox feature, Virtual Hardware Keys. You can create a Virtual Hardware Key within Strongbox which is a software simulation of the process that takes place on your hardware key, technically a HMAC-SHA1 digest. To do this you will need the secret you programmed your hardware key with originally (something you will or should have stored somewhere very secure in case of device loss). Using this secret Strongbox can mimic your hardware key in software. Strongbox stores this secret securely in the Secure Enclave on your device.

Why Use a Virtual Hardware Key?

There are two main scenarios in which you’ll want to use a Virtual Hardware Key. Let’s deal with them in turn…

1. AutoFill Mode

As mentioned above, you cannot use a hardware key in iOS AutoFill mode due to system limitations. This led many to abandon a hardware key as a second factor on iOS. Because Virtual Hardware Keys are entirely software based, you can use them in AutoFill mode. Further, you can specify that a hardware key is required in the regular Main app (used to edit and provide full access to your database) but that a Virtual Hardware Key should be used in AutoFill mode providing super quick and convenient access to your passwords within other Apps. Both hardware and virtual hardware keys can work on the same database seamlessly.

2. Emergency or Disaster Recovery

While using a hardware token to secure your database provides an excellent level of security, it is very possible to lock yourself out of your database by losing the physical key. Once that’s done, there’s no way to unlock your database unless you have the original secret used to program your key. That’s why, in our setup instructions, we recommend you keep this secret somewhere secure (like a safe in your house and/or offsite).

Now with Virtual Hardware Key support you can use this secret if you lose your hardware token to create a new Virtual Hardware Key and recover your database.

How Do I Create or Use a Virtual Hardware Key?

See our help article on how to create a Virtual Hardware Key for AutoFill mode or disaster recovery.

* This work was inspired by the problems and solutions discovered while adding full YubiKey support to Strongbox. Kudos to everyone on Github for their help.

New Security Audit: ‘Have I Been Pwned?’

With iOS version 1.48.3 (Pro) Strongbox now adds support for checking your passwords against the online ‘Have I Been Pwned?’ service.

The ‘Have I Been Pwned?‘ feature in action

What is ‘Have I Been Pwned?

Have I Been Pwned? is an online service that monitors and collects hacked credentials that are being trafficked in hacker underground communities and the dark web. It collects and collates these security breaches so that it can notify users if their account has become compromised. The site is run by renowned computer security and technology consultant Troy Hunt.

One particular element of the service allows you to check (in a secure way) whether a password appears in an enormous collection (more than 500 million) of known passwords. You can check an individual password here.

Strongbox uses the same API/Service to check your passwords and if they are known to be compromised to indicate this in the UI. This is an opt-in feature which is off by default. Read on for more details.

NB: This is a Pro feature only, it is not available in the free version of Strongbox.

What on Earth does ‘Pwned’ mean?!

Pwned is online Internet slang which is a corruption of the word “Owned”. So what does “Owned” mean? Owned in the context of computer security or hacker culture basically means a system or in this case, a password, is completely compromised. It is known and provides no protection against an adversary. For more entertainment see the Urban Dictionary definition.

How do I use it?

Since this feature is off by default you will need to navigate to Database Auditing preferences to try it out.

If this is your first time using the Have I Been Pwned? audit, you will be presented with a caveat/disclaimer to be certain your are comfortable with using this feature. You will need to accept this to move on.

As with all other audits if Strongbox finds a problem it will indicate it in the UI with an orange “Shield” icon, see the example below:

Once this feature is switched on Strongbox will gather your database passwords and securely check them by making a call to the online service. If you are interested in the technical/security aspects of this please read the How Secure is This? section below.

Since this is an online feature Strongbox will securely cache any compromised passwords so that you don’t have to be online to know which passwords have been marked as compromised on subsequent opens. Strongbox also will check the service at most once per day by default (this is configurable) to save network traffic.

How Secure is This?

One of the first questions people usually ask is how does this work, how can it possibly be secure? After all, to check my passwords don’t you have to send them to this service over the Internet?

The surprising answer to this question is No. Using some straightforward encryption techniques and a method called call k-anonymity this task can be performed while providing some very strong security guarantees. You can read more about the development and implementation of this system on Have I Been Pwned. In short the process works like this:

Procedure

  1. Your password is hashed (in this case using SHA-1). This maps your password to a 20 bytes in a fixed way. Hash functions try to make this process difficult to reverse and also provide an even mapping across the full range of the 2^160 possible values.
  2. This is then converted to standard hex format, e.g. 21BD12DC183F740EE76F27B78EB39C8AD972A757
  3. The first 5 digit prefix (20 bits) is then taken and used to query the online service. e.g. https://api.pwnedpasswords.com/range/21BD1
  4. This service lookups up all known compromised passwords with this SHA-1 prefix and sends them back to Strongbox. It also includes many other items which are not compromised (Padding).
  5. Strongbox checks this returned list for the suffix of the SHA-1 hash, in this case 2DC183F740EE76F27B78EB39C8AD972A757
  6. If found Strongbox knows that this password is not secure and will indicate this in the UI

Note that all this takes place over HTTPS.

The Attackers Point of View

Let’s assume that an attacker somehow managed to compromise your secure connection (not an easy task) and can see your network traffic directly. Only the 5-digit prefix (21BD1) is visible. This is 20 bits of a 160 bit hash, leaving an enormous search space of 2^140 possible matching hashes. A pretty hopeless task.

The attacker also has no way of knowing if your password is compromised or not by looking at the response. There are roughly 800-1000 hash suffixes returned in each response and it cannot be assumed your password is in this list. Indeed if it is, Strongbox will let you know and you can then act to change it in short order.

Conclusion

This has been a much requested feature and one I’ve been looking forward to for a long time. It finally came time when the Security Audit subsystem was released last week. I hope you’ll enjoy it, find it useful and that it helps make you more secure.

Of course I’d be very interested to hear any stories of the system finding something for you, or if you have any questions, comments or concerns.

New Audit Feature Released (iOS 1.48.0)

A brand new and very handy Audit feature has just been released to the App Store! Here’s a little more detail on this much request feature.

Details screen indicating a weak password (‘princess’ is a very common password!)

The Audit feature is designed to detect and highlight weak or compromised passwords so that you can take whatever action you feel is necessary to maintain your security. The Audit is performed by a new component imaginatively named the Auditor. When you unlock your database using your master credentials (or Face ID/PIN code), the auditor begins checking your entries for weaknesses. If it finds an issue it highlights it in the UI like this:

Browse Screen showing an entry with an audit issue

Audit Checks

The Auditor checks for 4 types or categories of weak passwords:

  • No or empty password
    • This checks for entries that have no password at all. This may not suit some users. Some people do not set passwords on all entries.
  • Duplicated passwords
    • This checks if a password is ever duplicated, i.e. used by more than one entry in the database. Ideally one should never reuse a password.
  • Well known or common passwords
    • The Auditor is smart and knows some of the most commonly used passwords, just like the hackers do. It checks each entry for well known and weak passwords. There’s never really a good excuse to use one of these.
  • Similar passwords
    • This is another smart feature of the Auditor, it is able to detect similar passwords, e.g. ‘Princess’ and ‘princess1’. Hackers are aware of these minor variations on a theme, and they should not be used to mask the underlying weakness of your passwords.

All of the above checks can be configured individually on or off, see below under Configuration for further details.

Technical Overview

The Auditor runs in the background at low priority (it’s usually very quick/instantaneous but will depend on the number of entries in your database) so it never gets in your way.

All of the above checks are done completely offline, there is no network activity. It goes without saying that your passwords are never sent to any super smart server for checks. The auditor is smart enough to be able to do this all on your device only. Switch on Airplane mode and give it a try!

Configuration

Of course all of these checks may not suit your usage. So you can configure the individual checks the Auditor performs or just switch the whole feature off entirely. It’s up to you. The configuration screen can be found by tapping the ‘Preferences’ button (little gear icon in the bottom left corner). Tap on ‘Database Auditing’:

The Audit Configuration screen will then appear:

Here you can control the Auditor!

We hope you enjoy the new Audit feature, let us know what you think!

-Mark (Strongbox Founder)