Use DTP as a Password database?

Question:
I use Password Pad for all my passwords but am thinking I could use DT3?
If I only use Bonjour on my LAN to sync from my Mac to Devon Think To Go, and I encrypt the database, is this as secure as any other Mac–ioS app that manages passwords?

Thanks

Sometimes using a specialized app is better than a general app. I use 1Password and it has unique capabilities that make text (passwords, etc.) easier to enter in apps and websites. Using DT would involve manipulating several windows and cut&paste operations.

Thanks.
Yes the convenience factor is higher but do you think the security is more or less? A cloud based service like 1Password seems less secure than DT3’s local Bonjour syncing?

I use the standlone version of 1Password (the latest version, version 7) and although AgileBits make you jump through hoops trying to persuade you to subscribe to their cloud based version I was able to buy a licence for the standalone version (without which I would have abandoned 1Password because I strongly dislike their subscription model). Sychronisation to my iPad and iPhone takes place using local Wi-Fi and works perfectly.

So far as I am aware standalone licences are still available for 1Password. It is an excellent app.

Stephen

I might look at that Stephen thanks.
I’m trting DT3 now with a Password database and getting an encrypted database to appear on DTTG is proving a challenge.

OK unless I’m missing something, DT is really awkward to use for this purpose!
Firstly Bonjour doesn’t play well with encrypted databases it seems.
Then if you create a ‘Password Database’ on your Mac, you end up with a ‘Password Database’ on your ios device for everyone to see, unless you password protect all of your databases, which I really do not want to do.
(…there is a contextual Username and Password option for a database on DTTG but it doesn’t seem to do anything?)

I am seeing no issue with syncing an encrypted database via Bonjour or any other sync method. Indeed, regarding encrypted databases there is nothing technologically distinct about the database itself.

DEVONthink 3 is in beta testing. It is not the final release and encrypted databases are not supported in DEVONthink To Go (which is not in beta).

I don’t have information on how this will be implemented in DTTG, especially considering the filesystem and operating system on macOS and iOS is not the same.

You could be using DTTG’s Settings > Security to lock access to the application, but no the database would not be hidden from view or inaccessible.

You might also look at Enpass, with which I am experimenting as a replacement for 1Password. It uses local storage and has similar integrations with other apps to 1Password - also cheaper. A little cruder.

I endorse the view that using DT would be a lot less convenient

I endorse the view that using DT would be a lot less convenient

You’d have to define the operations to determine what is “convenient”.

Could it be convenient, just as a container of passwords? Absolutely. I actually have a database containing login information going back many years. It works perfectly fine for looking up login information, i.e., it’s quite convenient. :slight_smile:

Yes the trouble with Enpass et al is I don’t want anything but a plain document so I can dictate format.
Bluefrog do you sync your login database to ios? If yes, how do you keep it secure on the actual ipad?

Security is handled by DTTG’s Settings > Security and using a mandatory passcode and an optional TouchID (on my iPhone 7). There is no per-database locking in DTTG.

As I thought.
I’d really like to see per-data base locking in DTTG.

What is the Username and Password on DTTG, available in the context menu for? I have searched Help but cannot find it referenced.

It is used for sync security, the same purpose as it’s intended for in DEVONthink 3.

From DEVONthink 3’s Help > Documentation > Windows > Database Properties (and applicable to DTTG as well):

Protection: To add a layer of protection when syncing your databases, you can add a username and password to the database. Anyone trying to import the database from a sync location will need to provide these credentials.

Ah OK that’s clear

OK - makes sense

Mi scenario is even more secure:

I have a Synology NAS with an encrypted folder. Apart from administrator (two step account), only other specific account has permissions to RW that folder.

All my databases are password protected and synchronized with that folder via https (with digital certificate) WebDAV…

All passwords are secure (long and non-dictionary).

I think you can safety store your passwords in this scenario.

PS: And yes, I have a PostIt with all those data attached to my main iMac… :sweat_smile: Noooo, I have all in my 1Password safe.

PSS: If someone takes the job to break all of that he will reach a zillion of most (but not all) public domain pdf, a scrapbook from internet and not much more. :joy: (Well, yess, more things like my writings, software licenses and other more or less critical related stuff).

Can you explain that a bit more…I have a Synology NAS too but did not know I can sychronize it to DT.

Thanks

You need to enable WebDAV service in your NAS (Install WebDAV Server package). Enable HTTPS and disable HTTP in that configuration. You can even change the default port.

Done that, all your NAS can be accessed via WebDAV, only by HTTPS.

To have HTTPS enabled, you must go to Control Panel -> Security -> Certificate and install a purchased certificated or one done via Let’s Encrypt (that your Synology can renew automagically). THis is a little bit critical thing because you need to specify where you are going to access from to avoid warnings like (“this certificate is not for this site” or similar).

Then you can access via fixed IP inside of your network or via Synology DDNS (or similar) with HTTPS.

Next step is create a shared folder in Control Panel with encryption. IMHO this only can be done if your Synology is formatted with BTRS file system. On each NAS restart or you manually can unmount the disk and won’t be able to mount it without the password. This is similar to Windows Bitlocker or Apple FileVault

Next is to create a normal user account with only access to the shared folder you are going to use to sync your DT. This is done in Synology Control Panel as well. Then specifically deny access to that folder to other sinology accounts you could have in your NAS (I left access to my admin account just in case).

In DT, you need to specify WebDAV and HTTPS as remote location, point to the desired shared folder and use the specially created account in synology for that specific folder.

(You have tutorial of all of this in Synology website). I recommend you do this first without HTTPS and when it is working, enable HTTPS in WebDAV as final step.

At this moment you have 4 layers of security:

  1. DT database password
  2. HTTPS over internet to avoid intercepts
  3. Synology only account access
  4. Synology disk encryption

In my case I have a DS1019+ with 4 disks (SHR 1 disk fault tolerant) + 1 as spare with auto repair in case of disk failure), and 1TB RAID (1+1) eMMC R/W cache. The performance result inside my local network is higher than having some external cloud service to store my files.

1 Like

That is super-clear! I will give it a go soon.

Thanks!

1 Like

I use both 1Password (for passwords) and DEVONthink. I support the view that a good specific program such as 1Password is more convenient for the purpose it was made for. However, and sorry for saying this in a DEVONthink forum, I’ll add that from security standpoint I trust 1Password and AgileBits (the company behind 1Password) a lot more than general purpose apps such as DEVONthink or Day One that promise end-to-end encryption, which basically means that data is encrypted before it leaves the device and is stored to the cloud. For instance, there’s probably a lot more expertise and auditing done for 1Password that for the generic apps. I’ve read of some security groups studying possible weaknesses in the 1Password implementation, and them responding to it, etc.

If you want to sync passwords through cloud between Macs and iOS, then something like 1Password is most likely a more secure choice than DEVONthink. I’d personally opt to think that even 1Password through cloud sync is a more secure way to get passwords synced between Mac and IOS than the Bonjour DEVONthink solution in general. There are probably many potential ways someone could get to your passwords in DEVONthink on iOS devices, such as someone browsing to them through the files app while you’re not looking. Or someone figures out a way to dump the data on your device and they find your password file.

On Mac, if you open an encrypted database, then I think the files are unencrypted in the mount point anyway while the database is open, and at least in DEVONthink 3 beta it seems the mount point often remains open even after you’ve closed the mount. Even if you’re the sole person using the Mac, there’s a chance that you for instance run some downloaded ransomware or other software that can read your filesystem, and then send the passwords to another place. Or maybe you make a personal mistake and backup all that stuff to an unencrypted place, or your custom NAS drive setup perhaps isn’t as secure as you think.

So in general, I think there are several factors to consider whether cloud or custom bonjour is safer. Personally I use 1Password with their cloud sync for my private passwords, and a local 1Password vault for some more sensitive work related things. BTW I’m not affiliated with the company behind 1Password in any way and I used it as an example. I kind of evaluated the risks of storing passwords and also syncing them between the devices and this is what I came up for my situation. It seems I’d more probably make mistakes with a custom solution than with a specific product from a reliable company targeted to the issue.

2 Likes