Strongbox Newsletter #3

Note: This is issue 3 of our newsletter (of November 24th 2021) sent out to our subscribers by mail every now and then. Interested to hear news and updates about Strongbox, KeePass, Password Management and the wider InfoSec world.

Hello there, we’re back with some updates on Strongbox and the personal password management world in general. Thanks for signing up and we hope you’ll enjoy.

Strongbox Zero (iOS) – For the Hardcore

This is a new one for us. Strongbox Zero is a version of the Strongbox you know and love, but with all the networking code stripped out. It’s for those hardcore few who want nothing but the essentials. 

Think of it as the drag racer version of Strongbox. We’ve eliminated all iCloud, Dropbox, Google Drive, and OneDrive support. Also, Import from URL, Transfer over Wi-FI, HIBP audit, and FavIcon downloading code. We’ve compiled out any and all 3rd party libraries we could and eliminated our own networking features. Basically, it’s as close as you can get to air-gapping Strongbox without actually air-gapping your device.

We know this isn’t for everyone, but we wanted to go the extra mile for those true security heads. We’d love some feedback on it, however we don’t recommend this for the casual user. Instead, we recommend getting to know Strongbox through the Free version and if you think local databases only are for you, then go for it.

You can find Strongbox Zero on the App Store here.

Strongbox macOS News 

WebDAV & SFTP Support

Strongbox has long supported WebDAV and SFTP on iOS, but more recently we’ve added support for these protocols on macOS. This means you can move to fully hosting your own databases, on your own server, and access them on iOS and macOS.

WebDAV has become a popular method of hosting databases because of the rise of Nextcloud and Owncloud software. These options allow you to get the same kind of polished integration you get with the commercial cloud drive providers but completely and totally hosted on your hardware. 

We’ve been playing with these setup’s internally, though we still love SFTP for that old school vibe, while public key authentication gives us a warm fuzzy feeling. 😎 What’s your favourite hosting setup?

Apple Silicon

This one is a biggie for those you on the bleeding edge… Strongbox now runs fully natively on Apple Silicon. We had so many requests for this, even though Strongbox ran perfectly on Rosetta. People just love squeezing that last ounce of juice out of their machines! 

We had to perform some compiler magic, say a few prayers to the LLVM gods, and become more familiar with third party libraries than we would have liked, but the result was worth it. Of course, we still support the good olde x86 architecture too. Sorry, you can’t use us as an excuse to upgrade! 

UI Overhaul 

We know we’ve got a lot of work to do when it comes to bringing our macOS UI up to the polish we have on iOS. The current macOS app is looking a little dated and has its quirks. A bit like ourselves. So, over the next few months we’re pouring resources into really improving things for you. Expect to see a more polished finish and a few perhaps more than cosmetic changes to how Strongbox works. We’ll try not to be too drastic, but it’ll certainly be more than a facelift. This should however enable us to bring the macOS App up to full feature parity with iOS. Just a heads up!

The 1Password Kerfuffle

More ink (pixels?) has been spilled on this than I think AgileBits ever expected. The outcry was immense. 1Password, one of the world’s most popular password managers, made the fateful decision to abandon many of its most ardent supporters. In one fell swoop, they dropped support for local vaults (our specialty), introduced a new pricing model, and decided to use a (controversial) UI development technology alienating former fans. Quite the coup…

We’ve been inundated with queries and requests, and we’ve been struggling to try to help 1Password migrants come over to the open-source password management world. We were a little slow due to the complexity of 1Password’s export file format, but we finally got our 1Password import feature finished a few weeks ago and the feedback has been pretty positive.

So, if you’re a curious 1Password user, why not give it a try? One thing we do promise is not to switch to Electron on you. 🤢

Black Friday & Cyber Monday Sale (20% off)

As ever, we’ll be running a 20% off sale on all our Apps this Black Friday through to Cyber Monday. We’d love for you to get a bargain and you’ll be supporting us scrappy Indie devs too. Just a heads up, so you can let your friends and family know.

And for those of you on the other side of the pond, happy Thanksgiving. Oh and happy Hanukkah too! Perhaps you can espouse the benefits of using a password manager to your more security challenged family? What a dinner topic! 

Finally…

That’s it from us at Phoebe Code headquarters here in London. We hope we kept things short, sweet and interesting. Let us know what you thought or if you think we should cover anything in the next newsletter. 

BTW, if you’d like to show your love and support, the best thing you can do (apart from purchase a license!) is to leave a review for us on the App Store. It would mean the world to us if you left us a short 5 star review. 

All the best,

-Mark (Strongbox Founder)

Welcome 1Password Refugees

Just take me to the 1Password to KeePass migration steps…

Introduction

We have received much correspondence over the last month or so from some very anxious 1Password users. The news that 1Password is dropping support for local only vaults as well as their decision to go with an Electron based UI has alienated former fans. Fortunately, here at Strongbox, we have no such plans to go with Electron and control over your vaults (we call them “databases”) is kind of our thing. We believe you should own your most important secrets and that not everything needs to be stored or managed in the cloud.

The Migration Frustration

One of the biggest complaints from users coming from the fully managed 1Password environment is how to get your databases from 1Password into Strongbox or even just a more portable format. Previously we had a long set of instructions with exceptions, tricky steps and third-party tools. 1Password has not made it an easy task for other developers to import their vaults. The format of their export files can only be described as a frustrating and chaotic mess. Not to be deterred, we’ve worked hard on deciphering the madness, and now, with the release of Strongbox version 1.16.2 on MacOS, we have a much simpler set of instructions which should lead to a much better experience for 1Password refugees.

Open Source Databases not Managed Cloud Vaults

Strongbox uses a time tested and super secure, open-source format called KeePass by default to manage its databases. This means there is no lock in. If you decide you don’t like Strongbox, that’s fine, take your vaults to one of the many other KeePass clients available on every platform known to humanity. We’ll work hard though to make sure you like Strongbox.

Conclusion & Feedback

So, as the founder, I’d just like to welcome you aboard. I hope you’ll like Strongbox, even if you just use it to convert your vaults into nice, friendly, open-source KeePass databases. I hope you’ll decide to stick with Strongbox. We’re a small company and we respect your privacy. We believe you should own and control your secrets, that’s our USP. We also offer a full 90 day free trial of all our Pro features, and after that we even offer a free and slightly more limited version that you can use forever. We hope though that you’ll choose to stick with us. Any feedback you have on the importation/migration process is most welcome. We’ll be adding import support to our iOS app shortly too. So, Welcome aboard!

-Mark

Full Migration Steps are available here.

Duress PIN – What is it and why would I need it?

So what is this Duress PIN thing and how does it work? The name gives it away, let’s look at a dictionary definition of duress:

Note: The Duress PIN Feature is part of the iOS Pro feature set

The idea of a Duress PIN is simply that, if for whatever reason, you are in a bad situation where someone is forcing you to unlock your database, you can enter a different PIN than the correct one, and Strongbox will perform some kind of plausible action but not reveal your passwords/secrets.

You could be a human rights worker entering an authoritarian country with a no real commitment to personal freedoms or perhaps you’re simply someone who likes their privacy and wants to keep their secrets private. Sounds like a simple wish, but once you arrive at the customs port of your destination country, all bets may be off, the enforcers will want what they want or you’re not getting in. Maybe you work in a dangerous part of the world, and you fear some criminal elements may force you to reveal your banking details or similar. Whatever it might be, anyone could find themselves under duress.

So how do I setup my Duress PIN? The first thing you need to do is setup a regular non-duress PIN, what we call a convenience PIN. This allows you to open your Password Database with a short set of digits (like your ATM PIN). To do this, simply:

  1. Unlock your database
  2. Tap the “More” or “Ellipsis” (…) button in the top right corner
  3. Tap Database Settings
  4. Tap Configure PIN Codes
  5. Tap ‘Turn Convenience PIN On
  6. Now enter a PIN Code, you’ll now be able to Unlock your database with this PIN Code.

Next we will want to setup a separate PIN, our Duress PIN. To do so, let’s go back to that PIN Configuration screen:

  1. Down in the Duress PIN section, tap ‘Turn Duress PIN On
  2. Enter a PIN, different this time than your regular convenience PIN.

Once done, you’ll notice that the ‘When Duress PIN Entered‘ section is now enabled and you can choose from the three available options. Let’s have a look at these options in turn and see what they do:

  1. Open a Dummy Database
    • This might be the most ‘stealthy’ option of all. Strongbox will open a database so it looks just like your Duress PIN worked. You can actually edit this database to make it look as realistic as possible. Think of it perhaps like a decoy wallet. You want something that looks plausible (e.g. old expired credit cards, maybe even a few dollars!). So you probably want to spend some time setting this up, just don’t enter your real secrets/passwords.
  2. Present a Technical Error
    • A fairly straightforward response, a reasonable looking error message will popup. Simple yet effective.
  3. Remove Database from Strongbox
    • This is sort of the nuclear option. The database will be removed from Strongbox completely. If your database is stored on a remote provider somewhere it won’t be touched, so don’t worry. It will just not be visible or accessible from Strongbox without re-adding it. However if someone is watching you while you do this it might be obvious you’ve done something to thwart them.

Those are your options, and you’ll need to choose which one suits your particular scenario best. We can’t offer advice on this, only you can decide. Indeed, you will need to decide if you want to use this feature at all. Take a look at our short note of caution below before deciding if using a Duress PIN is something you really want to do. Another option you may consider is to simply remove the database from Strongbox completely during transit in and out of problematic territory. You can re-add your database once you’re safely through that tough jurisdiction, or sticky situation.

A Final Note of Caution

It may actually be illegal or counter productive to enter a duress PIN in some situations, because if you get caught somehow doing this, the relevant forces/legal authorities may consider this as a deceptive act and may take punitive measures against you. This is something you’ll need to consider as part of your particular situation and threat model. It is worth examining how your target jurisdiction will react if you somehow were discovered to be using a Duress PIN in a situation like this. Strongbox only provides this powerful option, the choice then, is entirely yours.

WebDAV and SFTP now available on MacOS

Strongbox now supports WebDAV and SFTP on MacOS. These new storage providers have been much requested because they provide the ability to host your own KeePass database on your own storage, in a way that allows for synchronisation across devices and availability from anywhere on the Internet (if you like).

Note: The WebDAV & SFTP are part of the MacOS Pro feature set

WebDAV and SFTP are public open protocols supported by a wealth of different devices. Indeed SFTP is probably the standard way of transferring files on Linux based systems. Because it is built on top of SSH it is also the most secure way to do this also. WebDAV is an open extension of HTTP, adding new methods like PROPGET and PROPFIND and can sit seamlessly on top of a regular HTTP(S) session. In particular WebDAV is supported by Nextcloud and Owncloud, 2 popular up and coming privacy conscious storage solutions, which allow users to operate or subscribe to their own personal storage solution. Often Nextcloud runs on top of a NAS. Alternatively, many NAS’s support WebDAV and SFTP natively, for example Synology and QNAP provide their own implementations.

If you’re not keen on storing your database on your cloud provider, perhaps a free Dropbox or Google Drive account, but you want the convenience of a centralised location to store your password database, then WebDAV or SFTP could be for you. Strongbox tries to make this straightforward and has supported these protocols on iOS for quite a while. Now these protocols are available on MacOS.

To add a WebDAV or SFTP hosted database to Strongbox, simply:

  1. Launch Strongbox and bring up the Databases Manager window (Command + D).
  2. Tap the ‘Add Database…‘ button in the bottom right hand corner and select WebDAV or SFTP as preferred
  3. You’ll now be prompted to enter the location of your server, and authentication information. Tap Connect when done.
  4. Once successfully authenticated against your server you can start to browse your files and folders.
  5. Locate your database, and tap Select.
  6. You should now have added this database and you’ll be presented with the Unlock screen.
Strongbox SFTP Setup – Browsing for a database on MacOS

Strongbox will sync your changes back and forth (merging automatically where necessary). Strongbox also checks if your database has been changed by another process periodically and updates it if so, so you’re always working with the latest version.

We hope you’ll like this feature and that it’ll all be smooth sailing, of course we’d love to hear what you think and if we can improve in any way!

Strongbox Newsletter #2

This is issue 2 of our newsletter (April 26th 2021) sent out to our subscribers by mail every now and then. Interested to hear news and updates about Strongbox, KeePass, Password Management and the wider InfoSec world.

Continue reading

Syncing with a Synology NAS

It seems that Synology released an update (version 5.15.0 on April 13th 2021) to their DS File App which appears to be problematic for users who use the “Files” method to sync their databases with Strongbox. Unfortunately we don’t know exactly what Synology have done here, and there’s little we can do to fix things. So we would like to make sure everyone is aware of the best way to perform sync with a Synology device.

Update 13-Sept-2021: We are receiving reports that Synology have now fixed their App. We continue to recommend the methods below.

Recommended Methods

We always recommend users use either WebDAV or SFTP to sync their databases with their Synology NAS devices as it appears to be a much more reliable method and isn’t prone to getting things out of sync or randomly failing. You can also access your NAS via SFTP/WebDAV using the MacOS version of Strongbox.

A Note on using SMB

Unfortunately there are reports that SMB isn’t very reliable via iOS Files and also suffers from security issues, so using it over the public Internet isn’t recommended.

WebDAV & SFTP – Recommended

So we’ll stick with WebDAV & SFTP. This is all the more pressing now with the release of the broken DS File update. In this article we’ll cover getting WebDAV or SFTP up and running and connecting via Strongbox’s built in WebDAV support.

WebDAV

The authoritative Synology instructions can be found here. In a very short summary you need to:

  1. Log in to the Disk Station Manager or DSM with an account belonging to the administrators group.
  2. Go to Package Center to install WebDAV Server.
  3. Launch WebDAV Server and check Enable HTTPS checkbox. You can customise the port number if you like.
  4. Save the settings.
  5. To access from Strongbox, choose Add Existing Database
  6. Choose WebDAV
  7. Enter the IP address or the hostname of your Synology NAS followed by a colon followed by the port number (usually 5006 but may be different depending on how you have configured it). For example: https://my.host.com:5006
  8. Enter your username/password.
  9. You may not have configured a fully functional certificate (we would recommend that you do, you could use Lets Encrypt for example), if your certificate isn’t valid, then tick the ‘Allow Untrusted Certificate’ checkbox in Strongbox.
  10. All going well you should now be able to browse your file system for your password database.
  11. Finally add that database and you’re all set!

Some tips/tricks from other users who managed to get WebDAV working on their setups. These may or may not apply to you and haven’t been verified:

  • Ensure that the correct WebDAV port number is used in the URL/Address you enter
  • Make sure the WebDAV port is enabled in the Synology’s firewall
  • Make sure the WebDAV port is forwarded on the router if accessing remotely
  • Ensure Synology user account has WebDAV permissions
  • If using your own (untrusted) SSL certificate, ensure “Allow Untrusted Certificate” is enabled
  • In some cases you may need to append /home to your WebDAV URL. See here for more details.
  • Ensure the user password does not have any special characters if you are getting authentication errors
  • TLS/ SSL Profile Levels at “Modern compatibility” seem to work but you may want to change this if you have trouble.

SFTP

The authoritative Synology instructions can be found here. In a very short set of instructions:

  1. Log in to the Disk Station Manager or DSM with an account belonging to the administrators group.
  2. Click on Control Panel
  3. Click on File Services
  4. Click on the FTP tab
  5. Scroll down to the SFTP Section and enable
  6. Now, SFTP is live. We just need to make sure that a user is able to access the SFTP service. You can do this under Control Panel also. Select the Users component and create or ensure your user has SFTP access.
  7. To access from Strongbox, choose Add Existing Database
  8. Choose SFTP
  9. Enter the IP address or the hostname of your Synology NAS.
  10. Enter your username/password.
  11. All going well you should now be able to browse your file system for your password database.
  12. Finally add that database and you’re all set!

There is a good YouTube video which explains the steps to configure your Synology as an SFTP server.

Other Helpful Hints, Tips and Tricks

There is a plethora of information in the below video for how to configure your NAS for external connectivity which you may find helpful. It is presented in a friendly and funny way. Worth a look.

Please let us know if we should any other details, or how your experience was with these instructions, so that we can update this article for others.

Interview with Strongbox Founder on Safety Detectives

Recently our founder, Mark, sat down (virtually) for an interview with Aviva Zacks over at Safety Detectives. In this short piece he speaks about the origins of Strongbox, how the threat landscape is looking and the growing need to manage our online lives securely. So, if you’re interested and have a few minutes, why not take a look. You can find the interview here:

https://www.safetydetectives.com/blog/interview-mark-mcguill-strongbox/

Thanks to Aviva and Safety Detectives for reaching out.

Offline Editing

Strongbox on iOS now supports Offline Editing. Previously it was only possible to view your database while offline but now it’s possible to add, remove, edit and reorganise your database while out on that remote hike, on a flight or even just on the Tube.

Offline Editing depends upon our recently released feature Compare & Merge and the ability to maintain an independent local copy of your KeePass (or Password Safe) database with changes, and synchronise with a remote version of your database.

NB: Offline Editing is a Pro only feature (though you can always view a read only copy of your database in the free version).

Strongbox tries to detect when you are offline and immediately offer this option to you, but sometimes you will just want to manually initiate this offline editing process yourself for whatever reason. That’s super easy now. Just long tap on your database and select Open Offline.

You can always edit offline by selecting Open Offline from the context menu
The orange icon indicates that there are pending changes to be sync’d to your remote storage location.

This will open Strongbox in Offline mode. This means you can still make all the changes you normally would, or just search for an entry. However, any changes are stored only locally, ready for sync’ing back to your remote storage location whenever you next come online, or perform a sync. If you do have local changes that need to be sync’d you will see an orange icon next to your database on the main Databases List (“Home”) screen. You can always initiate a sync by pulling down on the Databases List or just tapping to unlock the database in question. Strongbox will manage any synchronisation conflicts and present options to merge if required.

This was one of our most requested features so we’re really happy to have been able to get this one out the door. It took a lot of work and relies on some other features that we’re really proud of. We hope you’ll like it, find it useful and that it makes your life a little bit easier.

Advanced Sync and Auto-Merge (iOS)

With the release of Strongbox 1.51.0 comes (finally) the much requested “Advanced Sync” feature. We wrote about this a little in our previous update about Compare & Merge. It is the “Merge” part of this feature where the real magic happens. This is core component that Advanced Sync relies on to perform smart updates so that you don’t lose or overwrite your important data.

Advanced Sync occurs in two directions. When you tap (or pull down) on your database, you “read” the latest version of your database from say Dropbox or your SFTP server for example. It also occurs when you add items or edit your database on your iOS device and push changes (or “write”) to the same remote storage provider.

Advanced Sync checks to see if the remote (e.g. Dropbox) database has been modified or changed from the copy you have “locally” on your device. It’s quite possible if you’ve got a family member or colleague working on the same database, or if you’re working across multiple devices swiftly. This leads to the dreaded “Sync Conflict” scenario. There are two conflicting versions of your database.

Previously you would have no choice but to choose between versions (local or remote) and allow an overwrite to happen. Less than ideal. Worse still, this may just have happened silently and you didn’t even get the option to choose which version to keep.

Sync Conflict Scenario – Now with option to Auto-Merge

With Advanced Sync, not only do you get informed that there are differences between your local copy and the remote, but you can view them (this is a Pro feature) and then choose to “Auto-Merge” them (available to all users Free and Pro) so that you keep both sets of changes. The Merge algorithm (described in more detail here) picks the latest changes, archives the older changes in your history and basically just does the right thing, getting out of your way. It won’t force you to pick a version in a confusing fashion either! It really is the best of all possible worlds as an old philosopher once said.

This has been a long requested feature and we believe this kind of functionality is a blessing in a password manager based on flat files and not on a centralised server where someone else owns your data. We hope you’ll agree this is really useful and important.

That’s it from us, it’s been a busy period of development (apologies for the flurry of updates recently!) and getting these changes out the door is not as smooth a process as we always hope. Thanks for putting up with these changes and please feel free to share this article if you think it will be of interest to anyone.

Coming Soon: We’ll talk a little about Offline Editing, our latest and (possibly) greatest feature!

Strongbox Newsletter #1

This is issue number 1 of our newsletter (Jan 26th 2021) sent out to our subscribers by mail every now and then. Interested to hear news and updates about Strongbox, KeePass, Password Management and the wider InfoSec world

Continue reading

Hallo Nederland! – Strongbox now available in Dutch

Strongbox (1.52.0) has just been localized into Dutch with the help of a wonderfully dedicated volunteer (Thank you!)

We hope this makes things a lot more comfortable and apologies for the delay in getting this out the door!

Compare & Merge (iOS)

Preview in new tab

A key component required for developing the Advanced Sync feature (coming soon) is the ability to compare databases and then to merge them. It’s quite a big feature and the development work is quite large. Since Advanced Sync is our number one development priority we’ve been deep in the code caves working on it for quite a while. Apologies if it looks like we’ve been slacking off!

With the release of version 1.50.13 on iOS we decided to not only add this functionality but also to make it available in a friendly UI. So no more flying blind when you’ve got 2 slightly out of sync copies of your databases. Just fire up Strongbox, select Compare & Merge from the context menu and let it do the hard work of comparing all entries. Optionally then you can choose to merge the databases so that you have the latest entries, edits and moves from both.

NB: The Compare feature is a Pro feature only. Advanced Sync (see below) will be available for free as we believe it’s just bad news for everyone in the password management world if we have out of sync databases promulgating.

Scenario – Mary & Joe and their shared database

Let’s take a look at this new feature briefly. One of the most common ways you can get out of sync versions is when you have multiple “editors”. Perhaps you are sharing your database with your partner Mary. Let’s say Mary goes off on a nice hike and (for some reason) decides to cleanup or re-organise your shared database. Meanwhile around the same time, you are at home and you just found a cool new bookshop which you signed up to immediately. Of course you diligently entered your login details into your Strongbox database. Well now we have arrived at that dreaded out of sync situation… What do these two databases look like? Let’s see an illustrative example.

Joe found a new bookshop…
Mary’s been busy organising!

Ruh roh… This is less than ideal. Joe has added his new favourite bookshop, Waterstones, to the database. Meanwhile Mary has been tidying up the database, moving entries around and creating a nice group structure. Ideally we really don’t want to lose any of these changes!

Well that’s where the new Compare & Merge feature comes in super handy! Let’s say Mary gets back and now you both realise your databases are out of sync. No problem! Let’s get Mary’s copy on to our devices and get the process started.

We tap and hold our database and select ‘Compare & Merge’ then follow the instructions on screen.

Get started by tapping Compare & Merge
Comparison

Finally we get to the comparison screen. As you can see Strongbox has figured out what changes were made by Mary and the changes necessary to bring your database up to speed with all of her changes. You can see she has moved a number of items around (you can even drill down and find out to where) and created a number of groups.

If you’re happy with all these changes you can go ahead and tap Merge to have Strongbox perform these moves, additions and edits. So that’s it! Here’s what that looks like after the Merge.

After Merge

That’s all there is to it really. There is a ton of complexity hidden behind this pretty UI but we hope that’s what you’ve come to expect of Strongbox. Now a short word on our next major feature, Advanced Sync, which automates this process, and which we promise is coming really soon!

Advanced Sync – Coming Soon

As you have probably guessed the same algorithm that is used for comparing and merging your databases intelligently can be used and automated when Strongbox detects your local and remote databases have gotten out of sync. Advanced Sync depends on this smart/intelligent algorithm and so that’s why this latest feature ‘Compare & Merge’ has come first. It’s a little more awkward to setup a merge because you need to add the other version of the database. We feel it was worth making this it’s own feature though. You never know when you’ll need to compare databases! Advanced Sync will seamlessly integrate this feature into the already extensive Sync architecture of Strongbox. Fingers crossed you’ll never see another out of date version of your database again.

Conclusion

Compare & Merge is a super handy tool for your databases. It should give you the confidence you need to perform merges and perhaps even figure out how you ended up in the non synchronised state in the first place. The process will be more automated as part of your regular Strongbox sync in the coming weeks so you might come across this and appreciate it completely serendipitously… We hope you’ll like it! 🙂

Lastly if you liked this article or you think this is a cool feature, please feel free to share it on social media or with your friends and family.

Ahoj Česko! Hello Czech Speakers

Strongbox has just been localized into Czech with the help of S474N who managed the localization in record time and has done a wondeful job, we hope you’ll agree!

Czech (😅) it out!

AutoFill on MacOS Big Sur

With the release of MacOS Big Sur Apple now provides a fully integrated way to fill in your passwords on different sites and App, all inside that App or site. There’s no need to switch to your Password Manager and Copy/Paste. Strongbox (as of 1.14.0) now integrates with Apple’s Password AutoFill subsystem to offer suggestions and fill in passwords. This follows on from the iOS integration which has been available for a few years now and has proven very convenient. Finally it has come to Mac.

NB: Mac AutoFill support is only available with Strongbox Pro. You can try this out for free for 90 days with no obligation to buy. We hope you’ll love it.

Note that this AutoFill system on works on Apple’s latest OS (MacOS Big Sur) and only with Apps and Browsers that have upgraded to support the Password AutoFill system. So far, as of post time, the only major browser that supports AutoFill is Safari. We believe this will change over the coming months and we should see ubiquitous Password AutoFill support in most browsers and Apps in short order.

Setup

Setup should be straightforward. In Strongbox there is an Onboarding Wizard that should help guide you through initial configuration. But you can always checkout your Strongbox AutoFill settings by unlocking your database and clicking on the menu item:

Database ‣ AutoFill Settings

You will then be presented with the following screen:

As you can see the first checkbox will hint that you should enable the Strongbox AutoFill component in the System Extensions preference pane. It can be found on your Mac here:

System Preferences ‣ Extensions ‣ Password AutoFill ‣ Strongbox

Once the Strongbox AutoFill extension is enabled on your system the other options will become available in Strongbox’s AutoFill Settings screen. You can enable or disable Strongbox AutoFill individually for each of your databases.

Safari Settings

With Safari being the primary browser for a lot of Mac users, you will also need to make sure Safari is AutoFill enabled. You can find this setting under

Safari Preferences ‣ AutoFill ‣ Usernames and Passwords

Make sure this is enabled. You can read a little more about those settings here.

QuickType AutoFill

One of the most convenient aspects of AutoFill is QuickType. This is where suggestions for credentials are presented to you inline in your browser or App and you can immediately select the appropriate one.

QuickType in Action

You can opt-in or out of this behaviour by checking the ‘Enable QuickType AutoFill’ checkbox on the AutoFill Settings screen.

One More Thing – The Wormhole

Unlocking your database can be a cumbersome process, Strongbox is designed for protection against brute force attacks and therefore requires some heavy processing before it can open your database. Further if you’re not using Touch ID or Apple Watch Unlock entering your master password takes time and is error prone. Strongbox AutoFill has the capability of unlocking your database independently but if it detects that you already have your database unlocked in the background it can establish a secure tunnel or “Wormhole” to request your credentials without requiring authentication or going through the whole unlock and decrypt process.

NB: that you must tap on a QuickType suggested credential for this to work. It doesn’t work if you just select ‘Strongbox’ from the little key dropdown. This is because the AutoFill component can only request a specific credential from a specific database via the wormhole.

This is an optional performance enhancement feature, and again you can opt in to it by checking ‘Use Wormhole Fill if Unlocked’ option on the AutoFill Settings screen.

We really hope you’ll find this new feature super convenient and as other third parties start supporting Password AutoFill we should see some really great results and a smooth painless password filling process for Mac at last!

Update 27 December 2020: It looks like Firefox are aware of this issue but could perhaps use some encouragement in integrating into their browser! See here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1650212

Update 08 February 2021: It looks like Chrome are now aware of this issue but could perhaps use some encouragement in integrating into their browser! Please show your enthusiasm. 🙂

https://bugs.chromium.org/p/chromium/issues/detail?id=1170065#c14

Konnichiwa Japan! -こんにちは日本

As of version 1.49.24 on iOS and coming soon on Mac, Strongbox is now localized in Japanese and available to all users in Japan! We hope you’ll like it. 🙂

We know that KeePass is super popular in Japan and Japanese users are early adopters and power users of password managers and computer security in general, so we’re proud to finally offer a much more native experience. Please let us know what you think!

We’d love to add more languages and are always looking for help and suggestions, so please get in touch if you’d like to see Strongbox in your language!

Arrigato! ありがとうございました

Introducing Virtual Hardware Keys

Introduction

With the release of version 1.49.23 on iOS today, Strongbox now offers the possibility of creating Virtual Hardware Key’s. These are software implementations of the popular hardware tokens from various vendors. Strongbox already supports hardware keys over NFC and Lightning in the Pro edition.

Virtual Hardware Keys are a new feature of Strongbox available to all, free, for life. If you like Strongbox, consider supporting us by purchasing a subscription or license.

The Problem with Hardware Only Keys on iOS

While using a hardware token provides an excellent extra factor for encrypting your KeePass databases, there are (or were!) some downsides that really put a dampener on adoption of a hardware key as a second (or third) factor. One of the main blockers is the lack of support for NFC and Lightning in AutoFill mode. Apple does not allow NFC to be used in App Extensions (the technical term for the execution context of the Strongbox AutoFill component). Some vendors do not offer library support for Lightning (MFI) in App Extensions. This has led to a suboptimal situation whereby you can use your hardware key in the main Strongbox app, but you cannot use the extremely convenient iOS AutoFill feature.

Enter the new Strongbox feature, Virtual Hardware Keys. You can create a Virtual Hardware Key within Strongbox which is a software simulation of the process that takes place on your hardware key, technically a HMAC-SHA1 digest. To do this you will need the secret you programmed your hardware key with originally (something you will or should have stored somewhere very secure in case of device loss). Using this secret Strongbox can mimic your hardware key in software. Strongbox stores this secret securely in the Secure Enclave on your device.

Why Use a Virtual Hardware Key?

There are two main scenarios in which you’ll want to use a Virtual Hardware Key. Let’s deal with them in turn…

1. AutoFill Mode

As mentioned above, you cannot use a hardware key in iOS AutoFill mode due to system limitations. This led many to abandon a hardware key as a second factor on iOS. Because Virtual Hardware Keys are entirely software based, you can use them in AutoFill mode. Further, you can specify that a hardware key is required in the regular Main app (used to edit and provide full access to your database) but that a Virtual Hardware Key should be used in AutoFill mode providing super quick and convenient access to your passwords within other Apps. Both hardware and virtual hardware keys can work on the same database seamlessly.

2. Emergency or Disaster Recovery

While using a hardware token to secure your database provides an excellent level of security, it is very possible to lock yourself out of your database by losing the physical key. Once that’s done, there’s no way to unlock your database unless you have the original secret used to program your key. That’s why, in our setup instructions, we recommend you keep this secret somewhere secure (like a safe in your house and/or offsite).

Now with Virtual Hardware Key support you can use this secret if you lose your hardware token to create a new Virtual Hardware Key and recover your database.

How Do I Create or Use a Virtual Hardware Key?

See our help article on how to create a Virtual Hardware Key for AutoFill mode or disaster recovery.

* This work was inspired by the problems and solutions discovered while adding full YubiKey support to Strongbox. Kudos to everyone on Github for their help.

New Security Audit: ‘Have I Been Pwned?’

With iOS version 1.48.3 (Pro) Strongbox now adds support for checking your passwords against the online ‘Have I Been Pwned?’ service.

The ‘Have I Been Pwned?‘ feature in action

What is ‘Have I Been Pwned?

Have I Been Pwned? is an online service that monitors and collects hacked credentials that are being trafficked in hacker underground communities and the dark web. It collects and collates these security breaches so that it can notify users if their account has become compromised. The site is run by renowned computer security and technology consultant Troy Hunt.

One particular element of the service allows you to check (in a secure way) whether a password appears in an enormous collection (more than 500 million) of known passwords. You can check an individual password here.

Strongbox uses the same API/Service to check your passwords and if they are known to be compromised to indicate this in the UI. This is an opt-in feature which is off by default. Read on for more details.

NB: This is a Pro feature only, it is not available in the free version of Strongbox.

What on Earth does ‘Pwned’ mean?!

Pwned is online Internet slang which is a corruption of the word “Owned”. So what does “Owned” mean? Owned in the context of computer security or hacker culture basically means a system or in this case, a password, is completely compromised. It is known and provides no protection against an adversary. For more entertainment see the Urban Dictionary definition.

How do I use it?

Since this feature is off by default you will need to navigate to Database Auditing preferences to try it out.

If this is your first time using the Have I Been Pwned? audit, you will be presented with a caveat/disclaimer to be certain your are comfortable with using this feature. You will need to accept this to move on.

As with all other audits if Strongbox finds a problem it will indicate it in the UI with an orange “Shield” icon, see the example below:

Once this feature is switched on Strongbox will gather your database passwords and securely check them by making a call to the online service. If you are interested in the technical/security aspects of this please read the How Secure is This? section below.

Since this is an online feature Strongbox will securely cache any compromised passwords so that you don’t have to be online to know which passwords have been marked as compromised on subsequent opens. Strongbox also will check the service at most once per day by default (this is configurable) to save network traffic.

How Secure is This?

One of the first questions people usually ask is how does this work, how can it possibly be secure? After all, to check my passwords don’t you have to send them to this service over the Internet?

The surprising answer to this question is No. Using some straightforward encryption techniques and a method called call k-anonymity this task can be performed while providing some very strong security guarantees. You can read more about the development and implementation of this system on Have I Been Pwned. In short the process works like this:

Procedure

  1. Your password is hashed (in this case using SHA-1). This maps your password to a 20 bytes in a fixed way. Hash functions try to make this process difficult to reverse and also provide an even mapping across the full range of the 2^160 possible values.
  2. This is then converted to standard hex format, e.g. 21BD12DC183F740EE76F27B78EB39C8AD972A757
  3. The first 5 digit prefix (20 bits) is then taken and used to query the online service. e.g. https://api.pwnedpasswords.com/range/21BD1
  4. This service lookups up all known compromised passwords with this SHA-1 prefix and sends them back to Strongbox. It also includes many other items which are not compromised (Padding).
  5. Strongbox checks this returned list for the suffix of the SHA-1 hash, in this case 2DC183F740EE76F27B78EB39C8AD972A757
  6. If found Strongbox knows that this password is not secure and will indicate this in the UI

Note that all this takes place over HTTPS.

The Attackers Point of View

Let’s assume that an attacker somehow managed to compromise your secure connection (not an easy task) and can see your network traffic directly. Only the 5-digit prefix (21BD1) is visible. This is 20 bits of a 160 bit hash, leaving an enormous search space of 2^140 possible matching hashes. A pretty hopeless task.

The attacker also has no way of knowing if your password is compromised or not by looking at the response. There are roughly 800-1000 hash suffixes returned in each response and it cannot be assumed your password is in this list. Indeed if it is, Strongbox will let you know and you can then act to change it in short order.

Conclusion

This has been a much requested feature and one I’ve been looking forward to for a long time. It finally came time when the Security Audit subsystem was released last week. I hope you’ll enjoy it, find it useful and that it helps make you more secure.

Of course I’d be very interested to hear any stories of the system finding something for you, or if you have any questions, comments or concerns.

New Audit Feature Released (iOS 1.48.0)

A brand new and very handy Audit feature has just been released to the App Store! Here’s a little more detail on this much request feature.

Details screen indicating a weak password (‘princess’ is a very common password!)

The Audit feature is designed to detect and highlight weak or compromised passwords so that you can take whatever action you feel is necessary to maintain your security. The Audit is performed by a new component imaginatively named the Auditor. When you unlock your database using your master credentials (or Face ID/PIN code), the auditor begins checking your entries for weaknesses. If it finds an issue it highlights it in the UI like this:

Browse Screen showing an entry with an audit issue

Audit Checks

The Auditor checks for 4 types or categories of weak passwords:

  • No or empty password
    • This checks for entries that have no password at all. This may not suit some users. Some people do not set passwords on all entries.
  • Duplicated passwords
    • This checks if a password is ever duplicated, i.e. used by more than one entry in the database. Ideally one should never reuse a password.
  • Well known or common passwords
    • The Auditor is smart and knows some of the most commonly used passwords, just like the hackers do. It checks each entry for well known and weak passwords. There’s never really a good excuse to use one of these.
  • Similar passwords
    • This is another smart feature of the Auditor, it is able to detect similar passwords, e.g. ‘Princess’ and ‘princess1’. Hackers are aware of these minor variations on a theme, and they should not be used to mask the underlying weakness of your passwords.

All of the above checks can be configured individually on or off, see below under Configuration for further details.

Technical Overview

The Auditor runs in the background at low priority (it’s usually very quick/instantaneous but will depend on the number of entries in your database) so it never gets in your way.

All of the above checks are done completely offline, there is no network activity. It goes without saying that your passwords are never sent to any super smart server for checks. The auditor is smart enough to be able to do this all on your device only. Switch on Airplane mode and give it a try!

Configuration

Of course all of these checks may not suit your usage. So you can configure the individual checks the Auditor performs or just switch the whole feature off entirely. It’s up to you. The configuration screen can be found by tapping the ‘Preferences’ button (little gear icon in the bottom left corner). Tap on ‘Database Auditing’:

The Audit Configuration screen will then appear:

Here you can control the Auditor!

We hope you enjoy the new Audit feature, let us know what you think!

-Mark (Strongbox Founder)