Overview
As is the case with other password managers, Abine Blur is a tool that permits internet users to automatically protect their accounts with strong passwords without the need to remember them all.
Nowadays, consumers must remember passwords to a huge number of accounts. And, unless all those accounts have unique, complex passwords - internet users are opening themselves up to the potential of hacking. Password managers like Blur aim to solve this problem by letting users set robust passwords that it remembers on their behalf.
Internet users who decide to make use of Blur can do so either for free or by paying for a premium account. What’s more, all users get 30 days of premium for free when they first download the extension. Best of all, the most important features - password management, anti-tracking, and masked emails - are all available without upgrading to premium. However, anybody who wants to use the card masking feature on the free version will need to pay a $2 fee each time they do.
For those people who love the extension, investing $39 per year will improve the service by adding password backup, across device synchronization, and a safe phone number that forwards to your real number. And, by paying $14.99 per month - or $99 annually - users get access to the Unlimited version of Blur - which comes with unlimited use of the masked credit cards feature with no hidden costs.
Abine Blur Features
- Extension available for all platforms (Chrome, Firefox, Internet Explorer, Opera, and Safari)
- Web tracker blocking
- Masked emails
- Masked credit cards (premium)
- Masked phone numbers (premium)
- Password sync across devices
- Autofill passwords
- Import and Export passwords feature
- Auto-lock to ensure passwords are safe
- Fingerprint unlock (Android and iOS)
- Recover account with a backup passphrase
- End-to-end-encryption
Signing Up
Getting an account with Blur is extremely easy, simply provide an email address and password and you are ready to start using the extension.
The service also asks you to make note of a backup passphrase, so that you will be able to recover your account should you forget your primary password. After signing in, Blur asks you to download the Chrome or Firefox extension; which forwards you to the PlayStore where you can get the app. Having installed it, you are free to start using the software to protect your accounts with a password that you no longer need to remember.
The first thing that you notice after installing Blur, is that the extension instantly starts blocking trackers on the websites that you visit. This is notable because (like other track blocking apps such as Privacy Badger) it shows you a little number next to the icon on your extension taskbar.
As you can tell from the image above, Blur shows the same number as Privacy Badger. This reveals that it effectively spotted and blocked the same number of trackers on the web page we were visiting.
Ease of Use
With the extension installed and already performing tracker blocking, users can start by clicking the Blur icon in their toolbar. Doing so reveals a window that provides access to the four primary functions: Accounts, Wallet, Masking, and Tracking. Those features can be switched on or off for each of the sites that you visit. Clicking on any of those functions opens a Window where you can alter settings and implements preferences. Clicking on Masking allows you to select from Masked Emails, Masked Cards, or Masked Phones. The masked phone number feature is only available with a full-paid account and provides very similar functionality to Google Voice.
Clicking on Wallet allows you to set up auto-filling of card details, auto-filling of identities, and auto-filling of addresses - as well as the Masked Cards feature. This allows you to breeze through online forms without having to constantly fill out your data. Adding a card is easy and can be done when using the free trial of premium.
Once your card has been added to your dashboard you can opt to either autofill the details for ease of use, or use the masked cards feature for added security.
Clicking on Accounts opens the dashboard where you can input the passwords and credentials for your accounts. If you are setting a new password, you can make use of the strong password suggestion feature.
Passwords and auto-fill
Rather than adding a password manually into the dashboard, we began by visiting a login page that requires a password. For this purpose, we decided to visit Facebook to see whether the password manager would automatically prompt us to save our password for future login attempts.
Attempting to login to Facebook instantly caused a Blur pop-up to appear that let us know that the password manager had timed-out and locked. As a result, we had to enter our password in order to be able to enter our Facebook credentials.
With Blur unlocked, you are prompted to add the password to your vault:
Clicking on “Click to Add” opens another pop-up where you are able to manually enter your details for it to autofill in the future. However, if you simply enter your credentials and password into the form, Blur will ask you if you want to automatically save those details to your password vault.
With the account saved, you can return to the login page where Blur will automatically fill the data into the login page and log you in successfully.
We found the process to be extremely easy and definitely suitable for beginners looking for a password manager that works without effort. And, if you do happen to enter the password incorrectly for any reason Blur will alert you as soon as the login fails, enabling you to update the password without having to search through menus.
Email masking and the Android app
Next, we installed Blur on Android and in order to check out the client and test the email masking feature. The feature works perfectly and allows you to send an email to a randomly created address that is magically forwarded to your real inbox.
This feature is really useful and is a fantastic resource considering it is free. As for the Android app itself? We found it easy to use, and the fact that it syncs automatically to the version in your browser is great for beginners. For users who want to, it is possible to set up fingerprint unlock - useful because the app locks up quickly requiring you to constantly enter your password.
Importing passwords
Anybody wanting to import their passwords from another password manager can do so either via a CSV file, or directly from a number of services including 1Password, Dashlane, KeePass, LastPass, PasswordWallet and RoboForm. We tested importing old passwords using a .CSV file and found it to work without a hitch.
Exporting your data is also possible and Blur always asks you for your password before allowing you to proceed. Users can opt to export either as a Blur data backup for restoring the account or via CSV file for migrating your passwords to another service.
Dual factor authentication is available with Account settings, but users can only opt to use authentication apps like Authy, Google Authenticator, or FreeOTP. SMS authentication and physical 2FA via a Yubikey are not currently available, which is a shame.
Autolock
For added security, users can opt to change how often they are prompted for their password. The Auto Lock feature allows you to set Blur to log out every time you restart your browser, and as often as every 15 minutes. This ensures that if you leave your computer for a prolonged period, your passwords will not be available. The Password Security feature allows you to set Blur to require a password even if the computer is in use, this can be set to run every 15 minutes.
It is also possible to check the automated backups that are made by Blur, this can allow you to make use of versioning to access a previously used password. For security purposes, it is possible to delete those backups if you wish.
Anybody hoping to sync their passwords across their devices is also taken care of.
In addition to the main settings page in the dashboard, anybody wanting to fiddle with the settings that the Blur comes with by default can do so by clicking on its icon in the toolbar of their browser followed by Settings. Doing so will open the following window:
Users can update those settings either for each individual site they visit or for all sites. Clicking on Manage Ignore Lists allows you to check which websites have had specific features, such as “Auto-fill credit card” switched off. Below you can see how it looks when a setting has been switched off.
For those who want to make use of the masked credit card feature, Blur allows you to create a temporary “burner” card that you use to shop online. Every time you use the masked card feature, Abine will act as a middle man and handle the transaction so that only Abine will ever have access to your real card details. As a result, this fake card allows you to shop without ever handing over your real data to online merchants - as a result of which it is much harder to fall for phishing attacks.
Being able to customize which websites are allowed data ensures that you never accidentally provide data that you aren’t comfortable with.
On the whole, we found Blur to be extremely easy to use, and considering all the features it provides even on the free version - it truly is
Privacy and security
Being based in the US is not ideal in terms of privacy, because any firm based in the US is subject to warrants and gag orders. This means that Abine could technically be forced to secretly start providing whatever data it has to US authorities. Add this to the fact that Blur is a completely closed source platform, and you may well have some apprehensions about using the service. The fact that it is closed source, means that you do have to trust Abine to do as it says it does with your data. This is because it is impossible to tell whether it has vulnerabilities or back doors that could potentially give the firm access to your master passwords.
The firm claims not to have access to your master password or backup passphrase in anything but an encrypted format. This may well be true, but, because this service is closed source, there is always going to be an element of trust involved in using the service. Whether you want to trust the firm to do the things it claims, that is completely down to you and your personal threat model.
If you prefer to use a firm that offers 100% transparency, you will need to opt for a password manager that can prove its security with an audit of its open-source code. With that out of the way, we can jump into analyzing the claims made by Abine Blur.
Privacy policy
We checked the privacy policy to check how the firm treats your data. Abine states that it does not sell user data to anybody. However, it does state that it shares data with third parties which it has contracted in order to provide its services. In addition, the amount of data that Abine holds about consumers is fairly low. It does keep some aggregated data in order to run the service, however, unless it is strictly necessary for providing the service it does not keep that data stored next to personal information.
One thing we did notice is that the firm states it does keep a record of “where you downloaded” Blur. It is not clear whether this means it stores your IP address, or whether it just makes a note of the country you download the extension from.
It is also worth noting that because you use Blur to autofill passwords on websites, the extension is gaining telemetry about the websites you visit and thus it is performing some level of tracking. However, the firm claims not to ever share this data or sell it.
Beyond that, the firm states that it has never “received a national security order and we have not been required by a FISA court to keep any secrets.” Whether you believe this statement is really down to you, however, it is worth noting that if it does receive a gag order it will not be allowed to tell anybody and so it is very likely that the privacy policy will remain the same.
On the other hand, we could presume that the sentence is a warrant canary (though we aren’t sure whether it is) and if that sentence ever disappears from the privacy policy it may be fair to assume it has been served a warrant and gag order.
On the whole, the privacy policy seems strong, and it does not raise any specific alarm bells, meaning that this service appears to treat data in a secure manner for the purposes of providing the service only.
Encryption and security
By default, Abine Blur comes preset to store all your data on its cloud servers. However, users who prefer only ever to store their passwords locally can do so by navigating to Account > Settings > Backup & Sync. Storing your data locally does mean that if anything happens to your computer, or if your web browser's local files are deleted or corrupted, you could lose all of your passwords. However, this is generally considered the safest way to store your passwords because it reduces the risks involved with them being on Blur’s servers.
With that said, it is worth noting that storing your passwords on Blur’s servers should be perfectly safe - because all your data is encrypted in your browser before being uploaded to the cloud. Your stored passwords and auto-fill credit card numbers are encrypted on your device using secure AES-256 encryption.
Your backup passphrase acts as a secondary recovery password that is attached to the private key that is used to encrypt your data. This data, and your backup passphrase, never leaves your device in an unencrypted, readable, form. This means that Blur staff cannot access your passwords under any circumstances, and, even if the firm is hacked, only an encrypted version of your password is available on its servers. This is what the firm told us about how the system works:
“When your data is synched with Abine it is first encrypted, and then your backup passphrase is encrypted with your master password. These encrypted objects are what is sent to Abine. Your master password is also never sent to Abine. For authentication we use a hashing process, so we (Abine), never know your original master password, we only know the output of a one-way function on your master password.”
This end-to-end encryption should ensure that your data is always safe. However, it is worth noting that if you forget your password and lose your backup passphrase you will not be able to regain access to your passwords, they will be lost forever. Under these circumstances, the firm will need to reset your master password and create a new backup passphrase, which means that you will have to start afresh saving your passwords into your Blur vault.
Security flaws?
While it is true that Blur received some negative press at the end of 2018 due to a vulnerability that was discovered, that problem which was migrated over from a previous utterance of the app called MaskMe, has since been patched. The security flaw potentially allowed hackers to gain access to the following data:
- Somer users’ email addresses
- Some users’ first and last names
- Some users’ password hints (but only from its old MaskMe app)
- Each user’s last and second-to-last IP addresses used to login to Blur
- Each user’s encrypted Blur password (fully encrypted and therefore not useful and not usable to access people's passwords).
While the security flaw was serious, the good news is that due to the end to end encryption employed by Blur, hackers would only have been able to access people’s encrypted master password (in encrypted format only and therefore not useful), meaning that they would not have been able to gain access to people’s credit card details, passwords, and other data protected within their vault. This, while the vulnerability was concerning it, was, fortunately, not highly damaging to Blur users.
Device and location warnings
For added security, Blur sends you a message anytime that you login to your passwords from a new device or location. This means that using a VPN will result in you receiving a security check. The email allows you to navigate to a page where you can verify all the devices and locations that you have logged in from. This allows you to flag the login as a fraudulent activity if you believe the account has been compromised.
Dual Factor Auth
For those who want to, it is possible to set up dual-factor authentication. This will add an extra layer of security. We also recommend making use of the features that ensure Blur is locked and requires a password after it has been inactive for 15 minutes, and every time your browser is restarted.
Customer support
Customer support for Abine Blur is primarily handled via a large database of FAQ responses on its website. That FAQ section is a useful resource that can help to clear up most questions you might have about the service. We found useful information about installing the software, setting it up, backing up, restoring an account with the passphrase, and many other important topics.
For anybody wanting more direct support, it is possible customer service by clicking the button in the top right of the FAQ page. Here you can ask a question that will be answered via a ticket system.
Final Thoughts
Abine Blur is an extremely interesting browser extension that offers fantastic cross-device compatibility. Beginners looking for a password manager that auto-fills on the fly can make use of this software for free, and because it doubles as a tracker stopping application - it really offers a lot of benefits to users.
The ability to mask your email allows you to engage in online marketing, shopping, and any other activities without having to hand over your real email address. And for those who decide to splash out on the premium account, a secure phone number that masks your real phone number (like Google Voice numbers) is fantastic for avoiding spam calls and phone scams.
We enjoyed just about everything about this app, and it seems fair to say that for free it is an exceptionally useful extension. However, it is also true that this firm is based in the US and that it is closed-source, which may ring alarm bells for certain consumers.
Whether you decide to trust and use Blur is really up to you, and your personal threat model. If you have privacy concerns about Blur password manager, then you may want to stick to something like BitWarden. However, for the average consumer, Blur is a really comprehensive tool that stands to provide a lot of privacy at zero cost. And for this reason, we give Blur a thumbs up.