Have you ever wondered how secure are password managers? How do password managers encrypt passwords? What encryption protocols they are using? And finally, can you trust Passwarden?
Let's answer all your whats and whys!
Passwarden is a safe password manager created by professionals with more than 7-year experience in security. To achieve maximum privacy and keep your data safe from threats, we implement the following security principles:
Passwarden implements the symmetric encryption and decryption using the Advanced Encryption Standard with Galois Counter Mode, or AES-GCM for short. This algorithm offers three possible cipher key lengths, we use the strongest 256-bit key. AES-GCM with random 256-bit salt aims to provide a high speed of encryption and decryption.
As well, for public-key cryptography, our password manager uses the Elliptic Curve Diffie Hellman algorithm on the secp384r1 curve, abbreviated as ЕС р-384. Thus, you won’t have to worry about your data confidentiality and integrity while you are using shared Vaults.
Furthermore, Passwarden implements HKDF-SHA512 - the hash-based key derivation function with random 256-bit salt. Generated preliminary keys are always passed through this function to receive the KEK - Key Encrypting Key. So that we’re on the same page, KEK is a cryptographic key that is used for encrypting other cryptographic keys.
To validate the integrity of a Key, we implement an Elliptic Curve Digital Signature Algorithm on the secp384r1 curve. Besides, all private keys are encrypted using the PKCS8 AES256-CBC mode via the Key that is derived from your Master Password through the Argon2id key derivation function with variable parameters - at least 16MB of memory and 4 iterations.
This block diagram shows how the authentication and data decryption processes are implemented in the Passwarden application.
To provide our customers with the most convenient and comfortable way to store passwords and other valuable data, Passwarden is required to work on major operating systems such as iOS, Android, macOS, and Windows. Both the desktop and mobile applications are based on the high-performance and time-tested OpenSSL libraries that ensure the best performance and security.
We also offer a lightweight browser extension for Chromium-based browsers and Firefox. As well, you can use a web version of our password manager on any device. For both the web application and browser extensions, Passwarden uses the built-in WebCrypto implementation. Also, we use the Argon2di code that is based on the reference implementation.
All your Passwarden data is stored on your device and synced with our cloud servers. Once you log out of the app, whatever the reason, all data stored on your device will be automatically deleted. Well, don’t be so quick to worry about losing information. It’s reliably stored in the KeepSolid’ cloud. As soon as you authenticate using both your KeepSolid ID and Master password, all data will be synchronized.
To add an extra layer of security to your account, we highly recommend you to get started with the two-factor authentication. For more information about the 2FA, check out this page.
Here is a sequence diagram of client-server interaction.
Passwarden offers state-of-art data sharing. This feature is based on a Public Key cryptography algorithm and client-side encryption.
Each time you share a Vault, Passwarden requests a Public Key for the account you share this Vault with and generates an additional Ephemeral Key Pair. This key is combined separately with each recipient's Public Key.
Thanks to the Elliptic Curve Diffie Hellman algorithm, our password manager generates a Preliminary Key that is created using HKDF-SHA512 with random 256-bit salt and is used to encrypt the Vault Key. Note, that only the encrypted version of the Vault Key is shared with the recipient.
More information about secure data sharing you can find here.
Both the data and metadata, that are transferred from the Passwarden app to API servers, are reliably protected using HTTPS based on the TLS 1.3/1.2 protocols.
To have a common ground, TLS or Transport Layer Security is a cryptographic protocol that provides privacy and data integrity between two communicating applications and server verification with certificate chains.
Thus, all transferred info is reliably encrypted and protected from any incidental damage or malicious tampering.
Both the Passwarden API and KeepSolid database servers are located on the protected Amazon instances. As the Access policies are enforced both on the side of the Amazon and KeepSolid, you can be sure of your data protection.
Explore all the benefits of Passwarden: securely store your data, safely share your passwords with friends and family, enjoy strong password generation, and try out other handy features.