Hi, this is Kurt Liebezeit, also known as PDX_Kurt, bringing you a review of the Strongbox password manager system from Phoebe Software at strongboxsafe.com.
I kind of fell into using Strongbox through the back door, so to speak. For about a decade, I had been using a pair of open-source password database programs, KeePassXC on the Mac, and MiniKeePass on iOS, to store and manage passwords. I was manually syncing the shared database through a USB cable like a caveman. But a few years ago the developer of MiniKeePass decided to call it quits, and so I went looking for a new iOS password manager that could interoperate with the KeePass database format.
The one that I eventually settled on was Strongbox, partly because at that time the developer actually published his source code for inspection. Strongbox wasn’t free like MiniKeePass, but you could purchase it outright without a subscription. I could also see that the developer of Strongbox was consistently and actively improving it, which is important for a security-related app.
That early version of Strongbox had a way to read and update a shared database that you could keep on a cloud service like Dropbox, OneDrive, Google Drive or iCloud, but I was far too paranoid to do that – I continued to manually copy my master database from my beloved Mac Pro to my iPad and iPhone via the USB cable. I carried on like this for a couple of years without too much trouble. The most annoying thing, of course, was updating the master database when I signed up for something while out and about on my phone. I would end up writing an Apple note, texting myself, or scribbling the credentials on a slip of paper, and then have to remember to update the master database back at home AND sync the database out to devices again through that USB cable.
As you know, Allison occasionally requests content from her listeners, and that prompted me to look through my catalog of apps to see if there is anything that might be interesting to listeners. Strongbox came to mind since I thought that perhaps listeners might want to consider an alternative to the subscription model that is most common for apps like 1Password these days. In preparation for writing the review, I decided to check the Strongbox website for new features.
To my surprise, I found that Strongbox has added a ton of useful new features that even a computer paranoid like myself would use! I’ll get to those in a minute, but first I want to cover the basics for you.
Strongbox meets a lot of the basic needs of a password manager: you can organize your passwords into categories that you can name, it will generate long and strong passwords using customizable rules, it has a field to record notes about the credentials (you can even use Markdown), it will tell you if you’re re-using passwords on more than one web site, and it interoperates with Safari on iOS and MacOS to supply stored passwords at web sites you visit. There are browser extensions for Firefox and Chrome to auto-fill passwords on websites on MacOS. You can protect access to the database with a master password, a key file, and/or Apple device biometrics (FaceID or Touch ID). Strongbox also has a MacOS app, and that comes with some benefits which I’ll explain in a minute.
The major new feature that Strongbox added this year was dedicated syncing through iCloud. Formerly you could store your database on iCloud using Files, and direct Strongbox to use it, but it turns out that iCloud is not very responsive when it comes to syncing that file out to other devices. Apple’s file-based iCloud apparently uses a “when I get around to it” syncing model, and this led to complaints when people changed passwords on one device, and then didn’t see the change on other devices for a while.
The new syncing mechanism is called Strongbox Sync. It is still iCloud-based, but it uses dedicated Apple APIs that are much more granular and responsive. So you won’t see your database through the Files app, or the Finder, but under the hood, Strongbox is updating the database out to all of your devices connected through your iCloud credentials very promptly. So this is very competitive with the other big-name password managers.
The Strongbox developer also implemented another method of syncing for the slightly more paranoid crowd. This is called Local WiFi Syncing, and the way it works is this: you can have the MacOS app on your computer advertise this WiFi syncing method over Bonjour on your local network. Then, when one of your iOS or iPadOS devices connects to that local network, a synchronization and resolving operation is initiated between your Mac and your portable device. But while your devices are disconnected from the same network they are not sending any data to each other, which means that there is no possibility of a Monster in the Middle attack to steal your database.
I say synchronization and resolving above because this method allows you to make changes independently in your iOS and MacOS Strongbox apps while they are not connected to the same network, and then when you bring them together on the same local network the apps merge the changes into one unified database that reflects changes made in both places. It’s really cool tech.
Another feature that I really like about Strongbox comes from its KeePass database heritage. A KeePass database not only has a password to unlock it, but it can also require a key file. Key files are like a super-long, super-strong password that has to be present on the device before the database can be unlocked. How does that help you, you wonder? Well, a key file should be managed separately from the database file; Strongbox doesn’t sync the key file automatically between devices, so when the password database is in transit through iCloud it is missing two crucial pieces of data necessary to unlock the database: one is a password, which might be guessed, but the other is a key file that is very un-guessable. This means that even if the database is stolen from iCloud or intercepted en route from iCloud it is very, very unlikely to be unlocked with brute-force password attempts.
I would strongly recommend that you always associate a key file with your Strongbox password database. The most secure way to distribute that file to each of your devices is with the USB cable caveman method, but you only have to do that once.
Strongbox goes even further with the key file concept by allowing you to integrate a Yubikey as a second hardware factor that uses a challenge-response model. I’m already segregating all my super-important passwords for email and financial sites in a separate database, and I might add the Yubikey second factor to that database for extra security.
So, at the end of the day, who do I think would be most interested in Strongbox as a password manager?
Well, first and foremost would be data security nerds… you know the type… if you know what year the SHA-1 hashing algorithm became crackable then this app is for you! (SHA-1 fell into disfavor in 2005). If you want complete control over the encryption algorithm, where and how your password database gets stored and synced, with controls on the number of iterations, Have I Been Pwned auditing, two-factor Yubikey support, hosting it on your own server with SSH access, and more, then you can really nerd out with Strongbox.
The second group of people who might be interested are people who want a streamlined, full-featured password manager at a fixed buy-it-once price. It’s not cheap, but it’s competitive with the other providers. By the way, the Pro version (which covers iOS, iPadOS, and MacOS) is a $90 one-time purchase price, or available at a very reasonable $20 per year as a subscription.
And you’ll be surprised at who I think the third group of people are who might benefit from Strongbox: people who are too cheap to pay for a password manager at all, and are using iCloud Keychain! Here’s why: iCloud Keychain doesn’t provide that many controls or features, and it doesn’t work with Firefox at all.
Strongbox solves both of those problems. You can use Strongbox in a free mode, which includes all the basic features like syncing, browser autofill, password generation, and key file support. The major pain point in the free version is that you can’t autofill a browser interaction with FaceID or TouchID; it’s going to want your master password every time. But… you can get away with a very simple passcode of just a couple of characters if you’re using a key file since the key file would be long and strong and pre-shared to your device. I think that this would be very secure, and you would gain most of the other nifty features of StrongBox.
In summary, I’m so glad that I decided to do this review. I’m now getting a lot more utility out of my previous Strongbox purchase because I’m using both Strongbox Sync and Local Wifi syncing on different password databases. Check out the features of Strongbox Pro at strongboxsafe.com, and then make your purchase in the MacOS or iOS App Store.