Strongbox in the Mac App Store

Strongbox Password Manager – by Kurt Liebezeit

Hi, this is Kurt Liebezeit, also known as PDX_Kurt, bringing you a review of the Strongbox password manager system from Phoebe Software at strongboxsafe.com.

I kind of fell into using Strongbox through the back door, so to speak. For about a decade, I had been using a pair of open-source password database programs, KeePassXC on the Mac, and MiniKeePass on iOS, to store and manage passwords. I was manually syncing the shared database through a USB cable like a caveman. But a few years ago the developer of MiniKeePass decided to call it quits, and so I went looking for a new iOS password manager that could interoperate with the KeePass database format.

The one that I eventually settled on was Strongbox, partly because at that time the developer actually published his source code for inspection. Strongbox wasn’t free like MiniKeePass, but you could purchase it outright without a subscription. I could also see that the developer of Strongbox was consistently and actively improving it, which is important for a security-related app.

Strongbox detail page showing the fields you can fill in for a given password and how to copy the password
Strongbox Detail Page

That early version of Strongbox had a way to read and update a shared database that you could keep on a cloud service like Dropbox, OneDrive, Google Drive or iCloud, but I was far too paranoid to do that – I continued to manually copy my master database from my beloved Mac Pro to my iPad and iPhone via the USB cable. I carried on like this for a couple of years without too much trouble. The most annoying thing, of course, was updating the master database when I signed up for something while out and about on my phone. I would end up writing an Apple note, texting myself, or scribbling the credentials on a slip of paper, and then have to remember to update the master database back at home AND sync the database out to devices again through that USB cable.

Edit page for creating/changing an entry
Editing an Entry in Strongbox

As you know, Allison occasionally requests content from her listeners, and that prompted me to look through my catalog of apps to see if there is anything that might be interesting to listeners. Strongbox came to mind since I thought that perhaps listeners might want to consider an alternative to the subscription model that is most common for apps like 1Password these days. In preparation for writing the review, I decided to check the Strongbox website for new features.

To my surprise, I found that Strongbox has added a ton of useful new features that even a computer paranoid like myself would use! I’ll get to those in a minute, but first I want to cover the basics for you.

Strongbox meets a lot of the basic needs of a password manager: you can organize your passwords into categories that you can name, it will generate long and strong passwords using customizable rules, it has a field to record notes about the credentials (you can even use Markdown), it will tell you if you’re re-using passwords on more than one web site, and it interoperates with Safari on iOS and MacOS to supply stored passwords at web sites you visit. There are browser extensions for Firefox and Chrome to auto-fill passwords on websites on MacOS. You can protect access to the database with a master password, a key file, and/or Apple device biometrics (FaceID or Touch ID). Strongbox also has a MacOS app, and that comes with some benefits which I’ll explain in a minute.

Popup to enter master credentials and the option to select a key file or use a hardware key
Authentication Screen for Strongbox

The major new feature that Strongbox added this year was dedicated syncing through iCloud. Formerly you could store your database on iCloud using Files, and direct Strongbox to use it, but it turns out that iCloud is not very responsive when it comes to syncing that file out to other devices. Apple’s file-based iCloud apparently uses a “when I get around to it” syncing model, and this led to complaints when people changed passwords on one device, and then didn’t see the change on other devices for a while.

The new syncing mechanism is called Strongbox Sync. It is still iCloud-based, but it uses dedicated Apple APIs that are much more granular and responsive. So you won’t see your database through the Files app, or the Finder, but under the hood, Strongbox is updating the database out to all of your devices connected through your iCloud credentials very promptly. So this is very competitive with the other big-name password managers.

The Strongbox developer also implemented another method of syncing for the slightly more paranoid crowd. This is called Local WiFi Syncing, and the way it works is this: you can have the MacOS app on your computer advertise this WiFi syncing method over Bonjour on your local network. Then, when one of your iOS or iPadOS devices connects to that local network, a synchronization and resolving operation is initiated between your Mac and your portable device. But while your devices are disconnected from the same network they are not sending any data to each other, which means that there is no possibility of a Monster in the Middle attack to steal your database.

I say synchronization and resolving above because this method allows you to make changes independently in your iOS and MacOS Strongbox apps while they are not connected to the same network, and then when you bring them together on the same local network the apps merge the changes into one unified database that reflects changes made in both places. It’s really cool tech.

Another feature that I really like about Strongbox comes from its KeePass database heritage. A KeePass database not only has a password to unlock it, but it can also require a key file. Key files are like a super-long, super-strong password that has to be present on the device before the database can be unlocked. How does that help you, you wonder? Well, a key file should be managed separately from the database file; Strongbox doesn’t sync the key file automatically between devices, so when the password database is in transit through iCloud it is missing two crucial pieces of data necessary to unlock the database: one is a password, which might be guessed, but the other is a key file that is very un-guessable. This means that even if the database is stolen from iCloud or intercepted en route from iCloud it is very, very unlikely to be unlocked with brute-force password attempts.

I would strongly recommend that you always associate a key file with your Strongbox password database. The most secure way to distribute that file to each of your devices is with the USB cable caveman method, but you only have to do that once.

Strongbox goes even further with the key file concept by allowing you to integrate a Yubikey as a second hardware factor that uses a challenge-response model. I’m already segregating all my super-important passwords for email and financial sites in a separate database, and I might add the Yubikey second factor to that database for extra security.

So, at the end of the day, who do I think would be most interested in Strongbox as a password manager?

Well, first and foremost would be data security nerds… you know the type… if you know what year the SHA-1 hashing algorithm became crackable then this app is for you! (SHA-1 fell into disfavor in 2005). If you want complete control over the encryption algorithm, where and how your password database gets stored and synced, with controls on the number of iterations, Have I Been Pwned auditing, two-factor Yubikey support, hosting it on your own server with SSH access, and more, then you can really nerd out with Strongbox.

The second group of people who might be interested are people who want a streamlined, full-featured password manager at a fixed buy-it-once price. It’s not cheap, but it’s competitive with the other providers. By the way, the Pro version (which covers iOS, iPadOS, and MacOS) is a $90 one-time purchase price, or available at a very reasonable $20 per year as a subscription.

And you’ll be surprised at who I think the third group of people are who might benefit from Strongbox: people who are too cheap to pay for a password manager at all, and are using iCloud Keychain! Here’s why: iCloud Keychain doesn’t provide that many controls or features, and it doesn’t work with Firefox at all.

Strongbox auto fill option shown on login screen in Firefox for USPS.com
Strongbox Integration in Firefox
Safari Browser Autofill On iPadOS for USPS.com
Strongbox Autofill on iPadOS

Strongbox solves both of those problems. You can use Strongbox in a free mode, which includes all the basic features like syncing, browser autofill, password generation, and key file support. The major pain point in the free version is that you can’t autofill a browser interaction with FaceID or TouchID; it’s going to want your master password every time. But… you can get away with a very simple passcode of just a couple of characters if you’re using a key file since the key file would be long and strong and pre-shared to your device. I think that this would be very secure, and you would gain most of the other nifty features of StrongBox.

In summary, I’m so glad that I decided to do this review. I’m now getting a lot more utility out of my previous Strongbox purchase because I’m using both Strongbox Sync and Local Wifi syncing on different password databases. Check out the features of Strongbox Pro at strongboxsafe.com, and then make your purchase in the MacOS or iOS App Store.

5 thoughts on “Strongbox Password Manager – by Kurt Liebezeit

  1. David Bennett - October 12, 2024

    Your thoughts on Strongbox compared to 1Password?

  2. Kurt Liebezeit - October 14, 2024

    Hi David, author Kurt here. I haven’t used 1Password myself, so what follows is my best effort at comparing what I am using (Strongbox) against something I haven’t used (1Password, as gleaned from their features page at https://1password.com/features ). My TLDR would be “Pretty comparable, minus the enterprise and family sharing features.”

    Password generator – Strongbox has a flexible password generator that you can tweak for length, uppercase/lowercase, number inclusion, symbol inclusion, etc. It can also generate diceware passwords (XKCD style), with similar controls on number of words, word separator, casing, augmented with number, salt, etc.

    Secure Vaults – you can create as many vaults as you like from either the Mac app or the mobile app. I should have mentioned it in my review, but 1Password also employs a key file in their implementation (they call it a secret key); the difference is that Strongbox gives you much more control in how the key is managed, stored, and transmitted. Strongbox uses the Keypass vault format, which has been used by the open source community for at least two decades, so I think it is reasonably well battle-tested. I’m not sure whether 1Password has Yubikey support, which Strongbox does support. Strongbox also gives you more options on where you store your vaults, and how you access them; you can store your encrypted vault on a personal server or VPS, and tell Strongbox to access it via SSH or webDAV if you like.

    Password sharing – Strongbox is not really set up for fine-grained control of password sharing, as 1Password is. You can kinda do it on a per-vault basis with the Local WiFi Syncing feature: when you set that up the host offers a six digit PIN that must be entered on the client devices or Macs to gain access to the database. I think that this means that you can give that PIN to your family member to allow access to the entire vault when the family member is on the same WiFi network.

    Unlock with Single Sign On / Access Management / Custom Policies – these are enterprise features that Strongbox does not have.

    Watchtower – Strongbox is pretty comparable here. It does flag weak passwords, reused passwords, and passwords that appear in “Have I Been Pwned”.

    Passwords – Strongbox has support for autofill on Safari, Chrome, and Firefox.

    Passkeys – Strongbox supports passkeys.

    Two factor authentication – Strongbox supports storing the second factor in the app using the Google TOTP algorithm.

    Financial information / Address autofill – Strongbox does not appear to autofill credit card information or address information.

    Secure notes – Strongbox does not support a separate category for secure notes, but there is nothing stopping you from creating an entry whose only purpose is to put information in the Notes field.

    Some things that Strongbox has that I don’t see mentioned in 1Password’s feature list:
    – You can set up a “duress vault” that opens when you supply a certain passcode. The duress vault would have dummy information in it.
    – Strongbox mentions that it has Microsoft Sharepoint integration; I’m not sure what that is or how it works.

    You can find the full list of Strongbox features here: https://strongboxsafe.com/comparison/

    I hope that this helps!

  3. podfeet - October 14, 2024

    FYI – did a quick search and 1Password does support 2FA with a FIDO U2F Key (like Yubikey): https://support.1password.com/security-key/

    One thing I haven’t heard mentioned with Strongbox is specific categories for other items. e.g. 1Password has categories with fields tailored for SSH Keys, API credentiasl, bank accounts, crypto wallet, databases, drivers licenses, email accounts, medical records, memberships, outdoor licenses, passports, reward programs, servers, social security numbers, software licenses, and wireless routers.

  4. Kurt Liebezeit - October 14, 2024

    The KeyPass vault file format (and thus by extension Strongbox) does support categorization of entries (Strongbox calls them “Groups”). I have mine divided into groups like “Email”, “Administrative”, “Devices”, “Internet”, etc. You can set a custom icon for groups (and also for individual entries – Strongbox will even try and download a favicon for you if you like).

    I’m not sure how 1Password works, but it sounds like you can choose a type of category and then the user interface is adapted to the type of data that would be associated with that category? With Strongbox it is a little more manual in nature: you could create a group for bank accounts, but then you would need to customize each entry that you create within that group to have the fields relevant to that kind of information. Strongbox does allow you to create arbitrary fields within a database entry and name them as you like, so for an entry within the Banking group you might create fields for “Bank name”, “Account number”, “ATM PIN”, “Email address”, etc. You can see what is possible in the second image of the review above, “Editing an Entry.”

    The Strongbox search system understands custom fields, so you can even search for items in custom fields.

  5. podfeet - October 14, 2024

    You understand correctly, Kurt. 1Password’s tailored entry types have the fields you’d need for that particular thing. e.g. for SSH Key, it has a place where you are invited to drag a private key file in to import (and has a little key icon.) Bank Account has a place for the account number and the routing number.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top