site  contact  subhomenews

B-Folders password manager review

June 10, 2015 — BarryK
I recently wrote a mini-review of SafeInCloud, a very nice password manager:
http://bkhome.org/news/201505/safeincloud-password-manager-mini-review.html

These days, a "password manager" holds much more than just usernames and passwords, and can be used to keep a wide variety of information secure. I found SafeInCloud to be one of these modern secure information managers, very customizable, and a delight to use.

However, as I explained in the review, I decided to discontinue its use, due to lack of a virtual keyboard for entering the master password.

Since then, I have been testing more password managers, and finally I have found one that ticks all the boxes: B-Folders.

Security
The developers of B-Folders have put a lot of thought into security, and I cannot see anywhere that might be a potential weakness.

The Android version uses an internal webkit-based browser, to take care of secure auto-filling for login, though external browsers can be used, even the clipboard (which is cleared immediately after use).

B-Folders can use a virtual keyboard for entering the master password, the lack of which worried me with SafeInCloud and many other password managers.

However, the virtual keyboard is only for numeric input. For alpha-numeric entry, the standard Android keyboard is used.
Hmmm, a numeric password will have to be very long to be uncrackable -- see further notes on this at the end of this review.

B-Folders does not support a fingerprint sensor for login. There is probably a good reason for this, as B-Folders does not want to store the master password. Using a fingerprint scanner means that the master password has to be stored locally, encrypted of course, but that is still a potential weakness.

Installation
I obtained B-Folders from the Google Play Store:
https://play.google.com/store/apps/details?id=com.jointlogic.bfolders.android

OK, it is free, but offers an in-app purchase. This is a "Utility pack", that cost me $6.20, with some useful, though not essential, extras.

Usage
B-Folders does not have the "bling" of SafeInCloud, and in a few places is less intuitive. So, I had a good read of the online docs. I found that it actually is easy to use, and was soon entering data and testing online logins.

It is the "card" paradigm, in this case with folder hierarchy. There are ready-made cards, which can be customised for each instantiation, and new card templates can be created. Overall, extremely flexible for entering any kind of textual data.

B-Folders is touted as a password manager, notepad, task manager, contact manager, bookmark manager, and journal. Or anything else requiring secure textual storage.

It runs on the desktop also, on Windows, Mac and Linux --for a price of US$30 each. Here is a desktop snapshot:


Running on Android though, the UI is a bit more constrained. Showing the equivalent of the above picture, this first snaphot shows the top-level:

Here are cards inside the "Banking" folder:

This is the content of one of the cards:

Clicking on a URL in a card, there is an offer to open with internal or system browser (or any other browser that is installed) (this is all customizable):


Sync and backup
SafeInCloud uses the Cloud for storage and consider it safe, as the database is a single encrypted file. The very fact of it being in the Cloud may be seen as a security threat, but if the password is uncrackable, all should be OK.

B-Folders takes a different approach, achieving syncing with its own wi-fi direct connection (or USB cable) between two devices. I haven't yet tried this, however, I have read user feedback, and they are positive reports.

Backup creates a copy of the database file. I tested this, and it reported a file "storage/sdcard0/backups.dat/2015-06-10_10-15_56.jrb" has been created.
There is also a restore from backup option.

Perhaps it would be nice to have send-to (share) for backup. Individual cards can be shared (which I think requires the paid Utility pack), and this sends a .vcf (Electronic Business Card) text file.

Master password
This is a snapshot of the virtual keypad for entering the master password:


Yes, it is good to have a virtual keyboard, I am happy about that. Numeric-only though, hmmm. I did some experiments, and yes, I can create a very secure numeric-only password, but it has to be quite long.

Here are some password strength checkers, that also estimate time to crack:
https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
https://passfault.appspot.com/password_strength.html
https://howsecureismypassword.net/

...warning, do not enter your actual proposed master password into these checkers! They could be sneakily collecting passwords. These sites are probably OK, but you never know.

In the case of a numeric-only password, a 18-digit to 24-digit non-repetitive, non-sequential password is very secure, taking centuries to crack. Of course, this depends on the hardware that is thrown at it.

The challenge though, is to create a long numeric password that can be remembered. And it must be remembered, as your entire life is in that file!

Conclusions
I love this app, the best password manager that I have found so far.

I would like to make some recommendations to the developers:

1. A custom folder for "Login list". Just as there already exists "Task list", "Contact list" and "Journal", which are effectively folders in which tasks, contact and journal cards can be created.
2. Send-to or sharing of the database file, as another way to backup or archive.
3. Markup for notes and journal cards.

Number 3 would be a nice enhancement, I think. Currently, the notes field in a card is plain-text only. It would be nice to be able to specify things like bold, italic, list, which can be saved as RTF, BBCODE or something similar.
I already tested entering a URL into a note, and it got recognised and became a link. Well, this principle can be extended, even perhaps to displaying images (img link, perhaps not embedded images).

Developer JointLogic website:
http://www.jointlogic.com/b-folders/

Comments

Perhaps a more generic implementation for number-1 in my wish-list:

When creating a new folder, allow assigning it a custom icon, and specify what cards can be opened in it.

That would be completely open, so the user can create any kind of folders. Including, if desired, a "Login list" type that only allows "Login" cards inside it.

Tags: light