The Android smartphone does not save logins and passwords. The best programs for storing passwords

Twitter

As our lives rapidly digitize, we are literally surrounded by a variety of passwords. And when the number of services goes up into dozens, remembering passwords for them is simply unrealistic. You can, of course, use the same password everywhere, but this is very insecure. Lost it - and all the details of your life may go to someone not very friendly. Therefore, it is more correct to invent everywhere different passwords, and then write them down in a secluded place.

But how to choose this place? So that it’s both convenient and reliable? There are hundreds of options. I won't tell you about all the password storage apps. It will take too much time because I have tried a lot of things. I’ll tell you better about the two that I eventually settled on.

I've been using the free app on Android for many years now. B-Folders. It, unlike many analogues, is truly free - there are no restrictions on the number of fields in records, or on the number of records themselves. The database is stored in encrypted form; by default, access to it is opened after entering a password or PIN code (your choice). For an additional amount, you can enable fingerprint unlocking (299 rubles).

The developer has been working on the application since 2009 and seems to have thought of everything. In the settings you can change the appearance of the application and cards, set the time for forced clearing of the clipboard after you have copied the password into it, enable self-destruction of the database after a certain number incorrectly entered passwords, etc. and so on. The paranoia of the authors has reached the point that you can’t even take a screenshot in the application - and this, by the way, is absolutely correct.

You can find fault with two things. Firstly, the interface is not localized - everything is in English. There are no problems with Russian names and passwords, and all important inscriptions are duplicated with clear icons. But for some it may be a nuisance.

Secondly, there is no option automatic synchronization databases with cloud storage. Perhaps this is also done for additional security password databases. But the latter can be saved as an encrypted file, sent to any cloud (Dropbox, OneDrive, etc.), and downloaded from there to another phone. The procedure takes literally a minute, and all your favorite settings are moved along with the database.

So, I probably would have only used B-Folders, but life forced me to look for a multi-platform solution. So that you can also spy on particularly tricky passwords on Android, iOS, and your computer. I tried everything and finally settled on... Kaspersky Password Manager. The application is also free by default, but if you don’t add money, you can only store 15 passwords. If you want more, please pay extra. You cannot buy the application forever; the license is valid for a year. But, unfortunately, this is the case with all decent multi-platform games with online synchronization. The only question is the price.

And, strange as it may sound, in the case of Kaspersky Password Manager it can be very different. I was stupid to buy a license directly through App Store, where they cheated me out of 1000 rubles. And on the Kaspersky Lab website the same thing costs only 450 rubles. If you purchased a license for Kaspersky Total Security (1990 rubles per year for two computers), then you will get Password Manager as a bonus completely free of charge.

Since Password Manager has Russian roots, localization is fully present. For websites, applications and personal data there are different formats cards, plus there are separate section for notes. Of course, also encrypted. I liked that when you enter a password for a site, its icon is automatically updated in the menu - this makes it easier not to get lost when there are a lot of passwords. Also, if you open the site directly from the application, it will try to insert the password into the form. It doesn’t always work out, because the forms are written in so many different ways. But sometimes it really saves time.

Passwords entered once are stored in the Kaspersky Lab cloud and are accessible from any authorized devices. Additional protection is provided by the presence of a master password: that is, it is not enough to enter your account information, you need another one on top. Login to the application using a PIN code, fingerprint or - in iPhone case X – along the face. There are versions for PC and Mac, but it’s probably easier to access it through a browser.

The only disadvantage of the product is the lack of the opportunity to buy a lifetime license, it’s somehow safer with it. But it seems that the time for such licenses is running out.

Take care of your passwords! There is too much to lose with them. Suffice it to remember the hundreds of sufferers who forgot the details of their Bitcoin wallets :)

Hello Habr! I am a young developer specializing in Android development and information security. Not long ago I wondered: how Google Chrome stores saved user passwords? Analyzing information from the network and the files of Chrome itself (this article was especially informative), I discovered certain similarities and differences in the implementation of saving passwords on different platforms, and for demonstration I wrote applications for extracting passwords from Android versions browser.

How it works?

As we can know from various online publications on this topic, Google Chrome on PC stores the passwords of its users in the following directory:

"C:\Users\SomeUser\AppData\Local\Google\Chrome\User Data\Default\" in file " Login Data".

This file is the database SQLite data, and it is quite possible to open it and look at it. In the table logins we can see the following fields of interest to us: origin_url(Website address), username_value(login), password_value(password). The password is represented as a byte array, and is encrypted using a machine key, individual for each system. You can learn more from this article. Thus, there is no protection in Windows client present.

Android

But since I’m more into Android, my attention was drawn to the Android browser client.

“Picking open” the package Google Chrome (com.android.chrome), I found that its structure is very similar to the structure of the PC client, and it was not difficult to find exactly the same database responsible for storing user passwords. The full path to the database is as follows: "/data/data/com.android.chrome/app_chrome/Default/Login Data". In general, this database is very similar to its “big sister” from the PC version, with only one, but very significant difference - passwords are stored here in open form. The question arises: is it possible to programmatically extract passwords from the database? The answer turned out to be quite obvious - yes, if your application has root rights.

Implementation

For greater clarity, it was decided to make our own tool for retrieving passwords from the browser database.

To describe its work in a nutshell, it works like this:

Gets root.
Copies the base Chrome data to your directory.
Using chmod, accesses a copy of the database.
Opens the database and retrieves information about logins and passwords.

The application was posted on Google Play.

Conclusion

As a conclusion from the work done, we can say that if you have root rights, pulling out the password database from the browser and sending it to your server is a completely solvable task, and this fact should make you think about whether you should trust any application with superuser rights .

I hope this article was informative. Thank you for your attention!

Articles and Lifehacks

Everyone knows that in the depths of a mobile device you can find a section where are passwords stored in android?. However, many people think that these passwords just hang there. open access, and if the phone is lost, someone will be able to use the account by simply opening the “account.db” folder. In fact, this is a huge misconception. This is much more difficult than, since everything is tied to the hardware.

When you sign up for Google, you enter your email address and password. Then your device sends a code to the imei server, which is unique for all phone models, and in return receives an authorization token (auth token). This token will be valid only for your phone and it is this token, not the account password, that will be located in the account.db folder.”

If you lose a device that has been registered, you can log into your Google account, for example, from a computer and disable it. Now no one can enter your Personal Area from a lost device.

Saved passwords in the Android browser

Taking advantage mobile internet, we often visit sites where registration is required, and to save time we click the “Remember” button. At the same time, we don’t think about where the passwords that we specify are stored in Android. And they are saved in the browser we use, for example, Opera mini. And if available necessary programs this data is easy to view. And for this it is not at all necessary to know, everything is made simpler.

To see your saved passwords, you will need special program, providing administration rights. This could be Universal Androot or any other similar service. You also need to download the SQLite Editor application and run it. When you first launch it, the program will probably scan your device for the presence of a database, after which it will display a list of applications that will have their own database. Find the browser you use in the list and click on it. Now a menu will appear in front of you, in it you need to select “webview. db". In the “password” window that appears, you can find all the passwords that have been saved in the browser.

Is it possible to hide passwords in Android

You are unlikely to be able to hide saved passwords. Therefore, if someone else besides you has access to your mobile device, then follow these rules:

1) Opt out of the “Remember” option when registering a new account.
2) After each visit to Internet pages, delete your browsing history.
3) Clear your cache at least once a week.

When choosing one method or another for storing confidential information, you have to make a compromise. Relying on own memory, we choose simple, easy-to-remember options for passwords, logins, etc. Material recording (say, notes in a notebook) is even less reliable; additional argumentation may not even be given.

A mobile device is also not a panacea. But firstly, the phone is always at hand, unlike desktop software solutions. Secondly, it is still possible to reliably protect data on your phone with little cost.

Among the most popular applications For Android, password managers top the list, and there's a surprising amount of choice in this category. This guide mainly covers well-known and well-proven solutions. The task is to find out how convenient it is to use password managers, what tools the developers offer to protect information in each case.

First of all, our interest is focused on the following aspects:

Synchronization, import and export of data
Records, templates, ways to organize data, search
Supported Security Standards
Additional tools: built-in browser, password generator, etc.
Security measures such as setting a master password (or PIN), auto-locking, clearing the clipboard.

Participants:

mySecret
Keepass2Android
Safe in Cloud
Pocket
LastPass
PassWallet
Dashlane Password Manager

mySecret

The mySecret app allows you to store usernames, passwords and notes in an encrypted database. When a database is created, a master password is assigned to it.

Optionally, the database can be synchronized online with Dropbox or via an HTTP server. Also provided local access: The database is stored in the phone's memory; it can be synchronized manually, deleted, or restored from a file. Certificates are used to further protect content.

mySecret uses a simple format for storing information. The contents of the cell consist of a record (name), login, password, URL, note. All this data is involved in the search, so you can quickly find the information you are interested in at any time. However, please note that some traditional mySecret amenities are not available. For example, you cannot assign a record to a category or group or assign additional fields.

Very little attention is paid to safety. In some cases, reinsurance in the form of additional measures. For example, when deleting a database, you are not prompted for a password, no quick lock etc. points that will be discussed in the review.

Summary. mySecret supports online synchronization, autonomous operation,password storage with certificate support. Weak sides- organization of passwords is too simple, impossible flexible settings, unclear security situation (at a minimum, encryption technology is not specified).

Keepass2Android

Keepass2Android - free manager passwords, which allows you to write confidential data to a *.kdbx file. This format is supported by desktop versions of KeePass and is thus available for .

KeePass allows you to work with several databases stored in the phone's memory. Information is encrypted using the AES (Rijdael) 256-bit algorithm with a specified number of encryption approaches. Additionally, a key file can be used. Of course, the database is protected by a master password; to speed up access, you can activate the QuickUnlock option - unlocking using the last three characters of the password.

The record includes standard fields (password, username, website address, comment). In addition, you can assign an associative icon, add additional fields, tags, attachments, and specify the password expiration date. It is allowed not only to add records, but also to group them. This is very convenient, but it would be more practical to associate groups with a specific set of fields, thereby speeding up the addition of new records.

Advanced search allows you to include any fields and data. A normal search in KeePass is carried out not as you type, but after clicking on the confirmation button (this action could also be optimized).

In stock additional options security: clearing the clipboard, blocking the database, quick unlocking, setting passwords, managing operations, processing files.

Keepass2Android supports database synchronization with cloud services Dropbox, Google Drive, SkyDrive, as well as FTP protocols and WebDAV. There is a local - less popular - version of KeePass - . It may be of interest, perhaps, only to users who do not require constant synchronization with other platforms. Export is supported in it, along with alternative version applications.

Summary. Keepass2Android is a functional solution with convenient organization of passwords and other classified information. Features include groups and advanced search, synchronization with desktop platforms and online services.

Safe in Cloud

Safe in Cloud - password manager with the ability to online synchronize an encrypted database (supported Google storage Drive, Dropbox and SkyDrive). Despite the only database, access to the service is possible on other platforms: (iOS, Windows). There are also extensions for Chrome browsers and Firefox.

You can import old passwords into Safe in Cloud; more than 80 supported applications are stated (other options can be added upon request). Export of records is available, output formats are TXT, CSV and XML. Among other operations performed with the base, - backup/ data recovery to memory card.

User data is stored in the form of maps, notes, and templates. Cards are records of sensitive information created based on templates. Templates represent a specific set of fields (for example, credit cards, passports, Email, web accounts). Finally, notes are simple text entries.

Tags are used to organize posts; from the sidebar you can quickly navigate to the desired category. Navigation is expanded convenient search: it is initially produced for all fields and works as you type.

Data in Safe in Cloud is encrypted (both on the phone and in cloud storage), standard 256-bit Advanced Encryption Standard encryption is used. A master password is provided; it is entered each time you start or resume activity in the application.

Summary. There are no complaints about the Safe in Cloud application. Most strengths - user-friendly interface, thoughtful navigation plus categorization and search, extensive import and export capabilities, cross-platform, synchronization.

Pocket

Pocket (not to be confused with the service of the same name for delayed reading) - Notebook for convenient storage of information, including confidential information.

The design of Pocket differs from other applications in less strictness: convex buttons, colored background, many icons. This is an additional “plus”, although, according to reviews, there are also adherents of the conservative style.

Similar to Safe in Cloud and similar programs, Pocket supports categories, allowing you to sort entries by various types. In the group settings, fields are specified - that is, something like a template. As a result, it's easy to create groups ranging from web logins and car signs to licenses, recipes and other entities. There is a password generator nearby that will help you create a password of the required length and complexity in the appropriate field.

The search bar has its own section, and a slight inconvenience is that you need to click on the “Search” button, enter keywords and press the button again, although, as already noted, this can be implemented much easier for the user.

The AES-256 algorithm is used for encryption. The master password, created for database security purposes, is a SHA-512 hash and is not actually stored on the device as a specific combination of numbers. When inactive, Pocket automatically blocks access and clears the clipboard, providing comprehensive data protection.

Existing entries can be imported or made backup copy from SD card, sync with Dropbox. When online synchronization is used HTTPS protocol, the data is transmitted encrypted.

The Pro version, compared to the free version, does not contain additional functionality, but it does not contain advertising.

Summary. The program has not been updated for a year, but it is still quite relevant. Pocket has a good design, although not in all aspects optimized for quick access - such features as quick search and QuickUnlock would not hurt. Customizable synchronization, export of recordings to an SD card, import wizard. Integration with desktop (Windows/Mac/Unix) jar application is available.

LastPass

LastPass is a symbiosis of a browser and a password manager. The browser is used to quickly fill out forms, save addresses and other information, and the manager also allows you to store any text data.

PassWallet is a password manager and secure data storage. 256bit offered AES encryption databases, synchronization with online services Dropbox and Google Drive.

Personal data can be imported from other applications, including Keeper, mSecure, aWallet, DataVault, SplashID, NS Wallet, LastPass, Password Box, Safe in Cloud (some of the applications have already been mentioned or will be included in the second part of the guide). CSV file import and export is supported. The Pro version of PassWallet offers data backup and recovery with encryption support and PIN code setting.

It is very convenient that home screen supports the “terminal” input method, that is, to enter the master password you do not need to open standard keyboard Android.

With PassWallet you can create secure entries containing data credit cards, web services, identities. When you select "Other", you are prompted to enter a name, ID, password and note. Thus, you cannot use templates and custom fields, and this is already a significant drawback. For data tied to a date (passport, credit cards, etc.), you can specify an expiration date - PassWallet will notify the user about the imminent expiration of time. When entering a password, you can use a simple generator (it produces a random set of characters, without specifying the complexity).

There is a search as you type, but you cannot organize information by tags or categories. Therefore, it remains to use standard, not always useful groups, such as “Web logins”, “Bank accounts”.

Things are more optimistic with security options. This is the so-called Stealth mode (the ability to hide the application icon), disguise (PassWallet is not displayed in the launch history), auto-blocking, data destruction function if entered incorrectly.

The application is paid, a month of trial mode is provided.

Summary. The developers are convinced that PassWallet is the most “secure and convenient manager.” In fact - a simple toolkit with well-thought-out access protection, in free applications You can also find a wider range of functions.

Dashlane Password Manager

The free Dashlane manager allows you to generate passwords and store them in safe environment, subsequently using it to autofill forms and log into sites. You can use the Dashlane Browser for Internet navigation, and the special Dashlane Keyboard for data entry. The application is available for Mac, Windows, iOS, Android tablets and phones.

First of all, we should note the user-friendly interface of the program. Fast access data can be accessed either through a retractable sidebar, and through the control panel and search bar. Dashlane consists of three main sections: Password Manager, Autofill, Wallet.

A password entry includes information about the site, a pinned category, and a note. For creating secure password a built-in generator can be used. In addition to adding a password, notes containing title and content are available. The Dashlane Keyboard can be used to autofill forms (it can be easily connected via system settings section "Language and input") and the browser - Dashlane Browser. If necessary, you can specify an alternative application for Internet surfing through the settings.

Autofill settings are revealed in more detail in the Autofill section. Addresses, phone numbers, and names are added to the Personal Info section, which are subsequently used in the fields. The second subsection contains identifiers, ID - standard set templates with fields, including passport data, license numbers, etc. Unfortunately, it is not possible to add your own template or fields.

Finally, the Wallet section records information for payment systems: these are credit card numbers and account numbers.

Dashlane has security measures such as clipboard clearing, PIN protection, master password protection, auto-lock, and no screenshots.

The premium version of Dashlane allows you to synchronize passwords across various devices, automatic backup of information and online access to the database.

Summary. Dashlane offers clear separation personal information into several sections, convenient control data and thoughtful access settings. For quick input Additional tools such as a browser and keyboard may be helpful. It should be kept in mind that free version Dashlane does not support synchronization or backup.

I've been using the amazing password storage service LastPass for years and find it to be the best of its kind. However for Android platforms this service only offers paid option use, which is not suitable for everyone. Therefore, in this article we will look at how to extract your passwords from LastPass, transfer them to Android and organize their secure storage and convenient use.

1. Export passwords from LastPass

Retrieving your passwords from this service is very simple, the process only takes a few clicks. To do this, you need to go to the service’s web interface and select “Export” in the main menu. After this, you need to specify the file name and location to save it on your computer.

2. Convert LastPass passwords to KeePass passwords

To work with passwords on a mobile device, we will use the program. It has clients for almost all platforms, has proven itself in terms of security, is convenient and free. But before you transfer your passwords to mobile device, they must be converted into a form understandable for this program. This feature exists in the desktop version of KeePass.

Install KeePass on your computer and create new base passwords by specifying one of the folders in Dropbox as the location. Then import the file from LastPass passwords to the password database you created.

3. Keepass2Android

Once your passwords are in a form KeePass can understand, you can transfer them directly to your mobile device. The best way to do this is to use mobile client Keepass2Android, which can synchronize your password database via Dropbox. Install this program, and then open the password database you created earlier.

4. Automatically fill passwords

One of the most convenient functions LastPass is an opportunity automatic filling credentials on saved sites. Keepass2Android also has a similar function, although it is implemented a little differently. The program has a special keyboard with which passwords are entered. This happens as follows.

You open the login page in your browser (almost all Android browsers are supported).
Using the “Send” menu, you forward this page to Keepass2Android. The program finds a password suitable for this page in its database.
Then you are prompted to select a keyboard. Select the Keepass2Android option.
A special keyboard appears on which you can use special keys You can enter your login and password for the open page in the required fields in one click.

Now you will have on your mobile gadget a well-secured and synchronized database containing all your passwords. In addition, we get the opportunity to conveniently enter passwords using special keyboard, which allows you to very quickly and conveniently enter the sites you need.