strongbox-mark
commented
1 year ago Not really deliberate, will hopefully be an easy one to fix. Thanks.
Closed nlydv closed 1 year ago
strongbox-mark
commented
1 year ago Not really deliberate, will hopefully be an easy one to fix. Thanks.
unicorn855
commented
1 year ago This is interesting, is there a recommendation as to when not to include the protocol in entries? I did not take any notice of that so far, but perhaps I should? For reasons of consistency maybe? Also, I am still undecided whether it's good practice to have TOTP codes generate within the same database that holds the other credentials, because wouldn't that defeat the purpose of having a second, separate factor to begin with? Anyway, to thanks (again) for all the hard work the Team put into this project <3 it's a joy to use.
nlydv
commented
1 year ago @unicorn855 Kinda off-topic but, at worst storing 2FA in the same password manager is still much better than not having any 2FA. Even more so if it's encrypted as with Strongbox or similar managers.
Everyone's situation is different though so I don't think there's any agreed upon "best practice" here.
unicorn855
commented
1 year ago Thank you for the head's up on this @nlydv 👍, the very points discussed in the article you linked make it relevant to this I believe :-). The way I see it is, if I am going to set up 2FA for each account that supports it, I might as well format all the relevant urls to include the protocols they need :-)
nlydv
commented
1 year ago @unicorn855 On whether to include the protocol, there's probably little to no significance security-wise.
AFAIK, the only real difference in not including it is that entry matching for autofill is more lenient and cross protocol logins can use the same entry (e.g. google.com can match both imaps://mail.google.com in an email client app and https://www.google.com in a regular web browser).
Even then, the matching algorithms are highly variable and unique to your device, manager, and OS rather than being part of a standard protocol. Other than that, it's just personal preference and/or the convenience of storing shorter, more readable URLs.
unicorn855
commented
1 year ago @nlydv I see, thank you for elucidating on that. What I have done in the past is to have one basic URL (usually with the https protocol) in the URL field and then I added additional URLs as custom ones for different protocols or areas of a site where the same login credentials are used. I will play around a bit to see if I can apply this to most if not all of my database, but I understand that this is mostly for consistency reasons, feels to become more of a thing the bigger my database grows :-).
strongbox-mark
commented
1 year ago Hi all, this should be fixed in 1.57.3. To download and update to 1.57.3, you will need to go to the App Store, search for Strongbox, click on the correct version (the one you have installed now) and then you will see the "Update" button. Click that to Update :)
Feedback welcome! @nlydv - Could you confirm and close if fixed. Thanks
unicorn855
commented
1 year ago Thanks @strongbox-mark for that but I don't see a version higher than 1.57.1 available in the store (yet). Also, I can't click/tap on the different versions in the App Store on iPhone. Are you talking about the MacOS version of strongbox? Thanks and have a good rest of the weekend 👍👍
strongbox-mark
commented
1 year ago Yes, this on on macOS, if you have access to that - We'll roll out to iOS in a short while, but would be good to confirm fix
unicorn855
commented
1 year ago Ah I see :-) Unfortunately however, I don't have access to MacOS so I can't confirm that way.
Thank you for the quick reply though, anyway :-)
nlydv
commented
1 year ago @strongbox-mark Yeah this looks to be working as expected after updating the app, thanks!
Hey, it seems like the 2FA notices on applicable entries only shows up if the url includes the protocol prefix.
For example, given an entry with a url of
https://example.comthat indicates a 2FA audit match, an (otherwise identical) entry with urlexample.comdoes not show the 2FA notice.I like to keep the urls short and generic (where it makes sense) since it keeps things simpler/easier to use, but the 2FA audit is useful, so what I've been doing is I'll only omit the protocol for entries which I already have TOTP set up.
Not sure if that behavior is deliberate for some reason (curious to hear why if it is), but if not it'd be nice if that audit properly matched on protocol-less url entries.