SafeInCloud password manager mini-review
May 20, 2015 —
BarryK
Preamble
We all have this problem: heaps of passwords to remember. Heck, not just passwords, but lots and lots of personal and business data, stuff that is sensitive and could be used for identity theft if an unscrupulous person got hold of it.
There is an alternative. As I discovered recently, password managers have come a long way. Modern ones are not just for passwords, they can store everything. That is, they do not just have the traditional old "login:password" fields. Now, they are completely customisable, allowing you to add many types of fields, including, login, password, URL, email, phone number, pin, notes.
Furthermore, in phones, they integrate with the system and link automatically with the email client, phone dialer, sms messenger, etc.
So, we can "put all our eggs in one basket", have a single encrypted file with our entire identity in it, and one master password.
Typically, this file is saved online, using a Cloud service such as Dropbox or Google Drive, so you can access it from multiple phones and computers.
This is exciting, but isn't it also a bit scary? That master password has to be uncrackable. Unlike other passwords -- if you try to login to PayPal for example, you can only try so many times -- so it seems reasonable that a less-than-uncrackable password will suffice.
Then your uncrackable master password has to be something that you can remember. Actually, these are two opposing goals. Anyway, you can devise a reasonably uncrackable password of 8 or 9 characters, that you can train yourself to remember.
SafeInCloud
So, I read lots of reviews of the main password managers for Android in the marketplace. I settled on SafeInCloud, purchased for AU$6.49 from here:
https://play.google.com/store/apps/details?id=com.safeincloud
A nice overview is to be found at the developer's website:
https://safe-in-cloud.com/en/android.html
Actual usage is extremely easy, in fact a pleasure. It is a very good idea to spend some time thinking about what "templates" and "tags" you want.
For example, I created a "Contact" template, and assigned it a default "People" tag. This means that SafeInCloud has also become my people database, and a very nice job it does of that -- I tested the phone-number and email fields, they work great -- clicking a phone-number field brings up the Android dialer, with option to phone or sms. A URL can launch the internal browser.
I am saving to Google Drive, though it can also save locally -- so you can back it up to an SD card if you wish.
Regarding online logins, there are security issues with using the clipboard, as discussed here:
http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/
SafeInCloud gets around this by using a builtin browser. I tested this, it works fine.
There is auto-fill for Android Chrome, but only for Lollipop. I have KitKat. I presume that Lollipop has a more secure way of performing auto-fill.
Conclusions
Absolutely love it, however, I decided to stop using it, for now anyway. There is something that to me seems to be the achille's heel of SafeInCloud, and that is entry of the master password.
For security reasons, the program will time-out, or after having lost focus, and need the master password to be re-entered. So, I found myself typing in this master password many times ...which got me thinking, and worrying.
Malware can sniff the keyboard. Can you guarantee that you don't have such a sniffing malware in your phone or PC? This problem is discussed here:
http://www.makeuseof.com/tag/four-ways-you-can-protect-your-password-managers-from-malware/
SafeInCloud uses the Android keyboard, and this is what I identified as the achille's heel. I contacted the developer and asked if there is any plan to implement a "virtual keyboard" -- the developer Andrey promptly replied, yes, but he cannot say when.
There are some other password managers that do have a virtual keyboard, such as DataVault, Steganos, LastPass, KeePass2Android and Password Safe.
Oh, I should add that SafeInCloud supports the fingerprint scanner in Android and iPhones. If the developer can expand that to some of the other Android phones now emerging with fingerprint scanners, that will be great.
However, a master password is still required, and it is saved in the phone. So, the master password will still need to be entered once, via a keyboard. Then there is the security issue of it being stored, encrypted, in the phone.
The master password
I played around, trying to find that elusive master password, both uncrackable and rememberable. One problem is that different password checkers give different results.
Here is some discussion on password strength:
https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
And here is the author's "zxcvbn" online checker:
https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
-- this is the estimator that SafeInCloud uses.
I came up with a 9-character password that the zxcvbn checker reported will take centuries to crack. However, another checker reported it as weak. Hmmm. My password has a slightly repetitive pattern, non-phonetic, non-English, but I reckon that a cracker algorithm could hunt for such patterns, so I doubt the accuracy of the zxcvbn checker.
Comments
I am currently not using SafeInCloud, now using B-Folders, see review here:http://bkhome.org/news/201506/b-folders-password-manager-review.html
I was using B-Folders and found it was unable to recognise the login/password fields for a couple of websites:
http://m.aliexpress.com
http://my.virginbroadband.com.au
So I tested with SafeInCloud, and it has same problem with Aliexpress, but works with Virgin.
I also noticed that the in-built browser in SafeInCloud is better integrated than with B-Folders. Such as the Back button to go back from browser to SafeInCloud card, and SafeInCloud-specific menu items in the browser.
It made me realise that the level of sophistication of SafeInCloud is well above that of B-Folders.
Google+ SafeInCloud beta testing community:
https://plus.google.com/communities/116800119793272104126
SafeInCloud blog:
https://safe-in-cloud.com/en/blog.html
I still like B-Folders. There are strengths and weaknesses of each, but overall I decided that SafeInCloud suits my needs. Also, SIC supports the fingerprint scanner in iPhone and Samsung phones -- and I have just about decided that I will purchase the Samsung Note 5 later this year.
For newcomers to SafeInCloud, a bit of advice: do spend some time thinking about Labels before jumping in and creating lots of cards.
SIC does not have a hierarchical folders structure, instead it is "flat" but with Labels. Labels are kind of like folders, as you can choose to view cards of one type of Label, but it is not a nested (multi-level) hierarchy.
These are the Labels I created, for my simple needs:
Business, Misc, Notes, People, WWW
Just think of those as folders, in which you will create cards.
Apart from creating cards, you can also create what is called a Note, which is just a card without any specific fields, just one field for typing any notes.
However, any URLs or email addresses that you type into the note "card" will be automatically recognised as-such, and you can click on them to open a browser or send an email.
...It would be nice if that could be extended to auto-recognise phone numbers also.
In fact, all of the cards have a Note field, so on any card you can type in any extra stuff.
Also at the bottom of all cards, you can append a photo.
Tags: light