Cookies disclaimer

I agree Our site saves small pieces of text information (cookies) on your device in order to deliver better content and for statistical purposes. You can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings you grant us permission to store that information on your device. For more information, click here

FREQUENTLY ASKED QUESTIONS

The QubiBox is a crypto hardware device for storing the private information managed with a dedicated application and connects over Bluetooth or USB to any client (smart phone, tablet or PC).

The QubiBox is a simple and powerful password and information manager you can use to organize and secure data such as passwords, financial records, bank account details, credit card numbers, ATM PINs, medical records, physical access codes, legal and financial documents, pictures, movies, etc. This information (in practice, your “digital persona”) is typically small compared to the mass of data you wish to openly share with others, but it’s of critical importance to you as a private individual operating in both the physical world and across distributed digital environments.

With QubiBox, you gain the combined advantages of anytime access, strong authentication, military-level encryption, malware protection, seamless synchronization and backup, and secure data storage to keep your private information always under your exclusive control. The purpose of QubiBox is to protect your digital persona and put you back in control of how and when your most private information can be accessed and used.

The QubiBox app is free for life, but you can expand the application’s convenience and security features with a one-time purchase of a QubiBox device, the crypto hardware device designed to protect your sensitive data from hackers, loss or accidental disclosure.

With a QubiBox device you will be able to:

  • synchronize your records across all your devices (smart phone, tablet, PC) without the need to connect to the Internet or store your data in the Cloud

  • keep records encrypted in a secure storage always under your control

  • access and manage your data anytime, anywhere, also offline

  • protect your data from malware and spyware also when your smart phone and PC are infected

  • avoid data loss with seamless backup of all your records during usage

  • enjoy strong security features, such as hardware-based authentication and access control via physical action feedback.

The QubiBox application running on your smart phone, tablet or PC needs to learn that it can safely exchange information with your QubiBox. For this reason, a quick one-time enrollment procedure is required the first time a new QubiBox device is used with QubiBox. After this simple initial “handshake”, the app and the device will be “linked” and enabled to connect and share data over an encrypted communication channel using the Bluetooth or USB protocol.

Yes, you can use the QubiBox app in “standalone”, software-only mode and it will be fully functional except for several important and convenient features that require a QubiBox device, such as private synchronization and seamless backup. Note that, without the additional security layer provided by the QubiBox device, the privacy of the data managed with the application will greatly depend on the security of your client device (smart phone, tablet, PC).

Please check the QubiBox security white paper for more information on the threats by active malware and spyware on the data managed with your smart phone and PC.

When using the QubiBox app in software-only, standalone mode, all data is kept encrypted and stored on your client device so any physical damage or malware attacks to the smart phone, tablet, or PC will also impact the security and availability of your private information.

After you link the application with a QubiBox device, your records will be physically stored also on it and you will be able choose which ones to “box” so that they can be accessed only after physical action feedback on the QubiBox device. In other words, a “boxed” record can be viewed, modified and deleted only after you connect the QubiBox device and confirm by pressing the function button on it.

You will have to choose and remember only one secure credential, called the Login Password. Of course, we suggest that you pick a strong Login Password, and the app will warn you if your choice of password is weak and offer to improve it using the integrated Password Generator tool.

The Login Password is never stored in the app, and it’s used to generate cryptographic derivatives for encryption and authentication purposes (check the QubiBox security white paper for more details).

When you link the QubiBox app with a new QubiBox device you are asked to choose a second secret credential called the Power Password. You can think of this additional password as a second factor of authentication which unlocks all the new features supported by QubiBox. However, you will need to enter the Power Password only during special operations (e.g. to unblock your login or to restore all data from a backup archive), but never for normal usage. This means that you don’t really need to memorize the Power Password since it will be required only in rare cases. After setting the Power Password, we suggest you write it down on the last page of the Quick Guide found in the QubiBox product package and store the guide in a safe place.

Finding a lost QubiBox or stealing it will not allow accessing any of the data stored on it without knowing the secret Login Password and/or Power Password. After the maximum allowed number of attempts entering the Power Password is reached, the QubiBox will be sealed and the data stored on it will become permanently inaccessible. In fact, a sealed QubiBox can only be reset to the factory default settings, an operation which deletes all the user data stored on it.

Yes, you can link the app with any number of QubiBox devices. Note, however, that each QubiBox will be treated as a separate repository and there cannot be any sharing of records or data across the linked QubiBox devices.

We keep no record of your Login Password and we will be unable to help recover it if you forget it. Since there is no way to access your records without entering the correct Login Password, if you forget it your login will be blocked and all your records will become inaccessible, even to you. However, linking the app with a QubiBox device allows setting a Power Password, which you can use to access a blocked login and to choose a new Login Password.

Each time you enter a wrong Login Password, the counter of login attempts increases by one unit. When using the QubiBox app in standalone software-only mode, you can enter a wrong Login Password a maximum of 20 times after which your login will be permanently sealed. This helps mitigate the risk of brute force attacks to your data. Linking the application with a QubiBox device allows setting the Power Password which can be used to reset your Login Password in case you forget it and avoid losing all your data in such unfortunate case.

You can enter a wrong Power Password only the maximum number of times defined in the security settings of the QubiBox app, after which your login will be sealed and all your records become permanently inaccessible, even to you. This helps protect the information stored in QubiBox against brute force attacks. The only allowed operation with a locked login or QubiBox device is a reset to the default factory settings, thereby deleting all user data without any option for recovery.

We keep no record of your Power Password, and we will not be able to help in any way to recover it if you forget it. During initial setup, the Power Password is used to encrypt keys stored on the linked QubiBox and then it is permanently deleted from the QubiBox app’s memory context.

Security is a process and cannot be reduced to the choice of a single password string. Even a strong password can be compromised in many ways by a user’s reckless behavior or by a poorly designed product. The QubiBox app displays warning messages based on security best practices and provides tools and information to allow improving your data’s security. If you have reasons for not following good security guidelines, we trust you can understand and accept the associated risks.

A password is strong and can serve its purpose only if it is difficult for a hacker to crack. Password strength revolves around one key strategy: creating a string of characters that nobody can easily predict or guess. Randomness is the main approach to creating passwords that can’t be guessed, but unfortunately it turns out that humans are poorly equipped to both recognize and apply randomness in passwords. In fact, different people end up choosing very similar words or strings when they create a password. Hackers have exploited this tendency by using word “dictionaries” containing the most common password strings along with software that automatically tries to login with each of these “dictionary passwords”.

Since choosing random character strings is not well suited to humans, the approach to generating secure passwords with low predictability must rely on automated tools for selecting a wider variety of characters and for estimating the string’s “practical randomness” (or, to use a technical term, its entropy). The Password Generator tool available in the QubiBox app allows generating and copying strings that can be used as passwords and provides a measure of their strength based on the strings’ entropy as a function of the generation process and of statistical information of real-life passwords commonly used.

Besides randomness, length (i.e. the number of characters in the password) is another parameter that can be very effectively exploited to complicate the cracking by hackers. In QubiBox, we support passwords with up to 32 characters in length to enable the use of passphrases so that users can choose longer strings using any characters they like (including spaces), thus aiding memorization.

The advantage of using passphrases can be appreciated from the following example:

Password:

<{3T!Xr](:uF

Length:

12

Entropy:

59 bit

Charset Size:

94 characters



Passphrase:

My cat's name is BILLY!

Length:

23

Entropy:

115 bit

Charset Size:

85 characters



As you can see, both the password and the passphrase can be considered strong for all practical purposes and can be obtained from character sets of comparable sizes. However, the passphrase has almost twice the entropy and it’s clearly much (much!) easier to remember. In the context of QubiBox, we suggest that you choose different memorable long passphrases for the Login Password and Power Password, while using the Password Generator to create strong random strings for all other password attributes of records managed with QubiBox.

For more general information on the topic of password strength, check Appendix A: Estimating Entropy and Strength in the following document: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf and the latest Digital Identity Guidelines by NIST (National Institute of Standards and Technology) at https://pages.nist.gov/800-63-3/sp800-63b.html.

This is not a technical limitation of QubiBox, but rather an architectural design choice rooted in the simple security principle that a chain is only as strong as its weakest link. In slightly more technical terms, when you couple two products the “attack surface” available to hackers increases almost proportionally since the vulnerabilities of both applications are in principle exploitable.

Now, it is well known that Internet browsers are among the most insecure general-purpose applications so that allowing direct access from browsers to the QubiBox data would expose your records to potentially devastating attacks. In fact, the opinion of most of security professionals is that methods used to fetch and populate data on web pages are too loose in their autofill policies and the results can be disastrous since an attacker can extract a wealth of information without the user’s knowledge or consent. The QubiBox app does provide a secure and quick way to copy/paste passwords into web pages even without autofill. Please check the tutorial section on the QubiBox website for a step-by-step demo.

The QubiBox app requires entering the Login Password before allowing access to your records. After reaching the maximum number of wrong login attempts, the login and any linked QubiBox device will be blocked from further usage until you enter the Power Password. All your records are stored in permanently encrypted format using some of the strongest cyphers available in the industry, such as AES-256 and RSA 2048. Boxed records cannot be viewed, modified or copied unless you connect the QubiBox and confirm by pressing the function button.

Please check the QubiBox security white paper for more details.

Synching is performed by the QubiBox app each time you connect a linked QubiBox device. As soon as the connection is established, any new record and changes to existing records are synchronized between the app and the QubiBox device, without the need of any action on your part.

All new and modified records are seamlessly backed up while you use the QubiBox app without the need of any action on your part. On PCs and laptops, it is also possible to select the manual backup option: in such case, a backup will be performed only when you manually request it. The backup archive is stored on the client device (smart phone, tablet or PC) running QubiBox and is encrypted using AES256.

Should you lose your QubiBox device, you can restore all your records by simply connecting a new QubiBox to any of your client devices while the QubiBox app is running, selecting the backup archive and entering the related Power Password when requested.

The QubiBox backup archive is an AES256 encrypted container of data which is indecipherable without the knowledge of the key which was used to encrypt it. During a restore operation, after you enter the Power Password, the encrypted backup key is sent to the QubiBox where it is decrypted and restored via firmware.

Without the knowledge of your Power Password, the backup archive is practically useless. It is for this reason that you should choose a strong Power Password (preferably a long passphrase), never reveal it to any untrusted party and use it only when strictly required. Please refer to Section 5.5 of the QubiBox security white paper for a more detailed discussion.

The current limit is about 1,000 records. This is an architectural design limitation of QubiBox which we may decide to lift with new product versions depending on the demand received from customers under common usage scenarios. However, based on QubiBox user testing results and real-life software password managers’ usage reports, the average number of private information records per typical user is estimated to remain well below 1,000 for the next several years.

The QubiBox comes with a microSD memory of 8GB, 16GB or 32GB size for attaching files to your records and to store any other files you may wish to secure on the device. This mass storage is mounted and made available to the host computer running the QubiBox app after pressing the function button of the QubiBox for more than 5 seconds (default setting), or only after a successful login. You can activate this latter mounting criteria by selecting the related setting in the QubiBox app.

When running the QubiBox app on a PC, the files you attach to records are stored in encrypted format inside of a hidden folder in the QubiBox microSD memory. If you delete this folder or format the QubiBox mass storage partition, the QubiBox app will be unable to find and recover the files you attached to your records. Note that attachments added to records when using QubiBox on a PC are also kept encrypted in the backup archive and, therefore, can be fully recovered in case you lose the QubiBox device.

When running the QubiBox app on a mobile device (smart phone or tablet), the files you attach to records are encrypted and kept in the storage dedicated to the QubiBox context (sandbox) of the mobile device and not in the QubiBox device’s mass storage. Please note that due to Bluetooth performance limitations and incompatibility between different operating systems, the files attached to records are not synced across mobile clients and can be accessed only from the QubiBox app running on the client device where they were originally added.

Every QubiBox device is identified by a unique serial number consisting of twelve alphanumeric characters etched on the back of the device, right above the certification logos. The serial number is also displayed in QubiBox app at the login prompt, in the QubiBox Info pane and when a new (non-linked) QubiBox device is discovered.

Although QubiBox is certified as a class 2 Bluetooth device, we are limiting the range over which it can stably connect with client devices to about 5 meters, assuming no interference from objects around you. This allows extending battery lifetime while hardly impacting usability given that most operations with QubiBox require close proximity and physical action on the device.

We regularly update the favicons used in the QubiBox app to include those for the most common websites. However, if some of your records are still listed without the proper website icon, you can opt-in to submit an anonymous request for icons in the app’s settings. This allows sending us the URLs lacking an associated favicon without exposing any other information regarding your records or your personal information. This opt-in feature is disabled by default.

In the QubiBox app we automatically collect some usage information and technical data, such as the average duration of a session, the frequency of login or the paths users take from one screen of the app to the next. This information is fully anonymized and we cannot link it to any person. You can opt-out at any time from our collection of anonymous usage information by selecting this choice in the application’s settings. Please, refer to our privacy policy for more information.