Protect all your sensitive data with Passwarden

Have you ever wondered how secure are password managers? How do password managers encrypt passwords? What encryption protocols they are using? And finally, can you trust Passwarden?

Ā 

Let's answer all your whats and whys!

Passwarden security principles

 

Passwarden is a safe password manager created by professionals with more than 7-year experience in security. To achieve maximum privacy and keep your data safe from threats, we implement the following security principles:

We use only state-of-the-art, high-reliability, and proven security algorithms. Thus, no one, including the KeepSolid employees, couldnā€™t access your data.
To ensure maximum privacy, we implement client-side encryption. It means all encryption algorithms run on the end userā€™s device.
Our customers can access their Passwarden data from any part of the world without using any external services for data sharing or synchronization.
We make every effort to create a straightforward and easy-to-use password manager. So there will be no reason to use an unprotected (but convenient) password storages.

Cryptographic primitives

Passwarden implements the symmetric encryption and decryption using the Advanced Encryption Standard with Galois Counter Mode, or AES-GCM for short. This algorithm offers three possible cipher key lengths, we use the strongest 256-bit key. AES-GCM with random 256-bit salt aims to provide a high speed of encryption and decryption.

 

As well, for public-key cryptography, our password manager uses the Elliptic Curve Diffie Hellman algorithm on the secp384r1 curve, abbreviated as Š•Š” р-384. Thus, you wonā€™t have to worry about your data confidentiality and integrity while you are using shared Vaults.

 

Furthermore, Passwarden implements HKDF-SHA512 - the hash-based key derivation function with random 256-bit salt. Generated preliminary keys are always passed through this function to receive the KEK - Key Encrypting Key. So that weā€™re on the same page, KEK is a cryptographic key that is used for encrypting other cryptographic keys.

 

To validate the integrity of a Key, we implement an Elliptic Curve Digital Signature Algorithm on the secp384r1 curve. Besides, all private keys are encrypted using the PKCS8 AES256-CBC mode via the Key that is derived from your Master Password through the Argon2id key derivation function with variable parameters - at least 16MB of memory and 4 iterations.

Ā 

This block diagram shows how the authentication and data decryption processes are implemented in the Passwarden application.

Cross-platform security

To provide our customers with the most convenient and comfortable way to store passwords and other valuable data, Passwarden is required to work on major operating systems such as iOS, Android, macOS, and Windows. Both the desktop and mobile applications are based on the high-performance and time-tested OpenSSL libraries that ensure the best performance and security. 

 

We also offer a lightweight browser extension for Chromium-based browsers and Firefox. As well, you can use a web version of our password manager on any device. For both the web application and browser extensions, Passwarden uses the built-in WebCrypto implementation. Also, we use the Argon2di code that is based on the reference implementation.

Security of cloud synchronization

All your Passwarden data is stored on your device and synced with our cloud servers. Once you log out of the app, whatever the reason, all data stored on your device will be automatically deleted. Well, donā€™t be so quick to worry about losing information. Itā€™s reliably stored in the KeepSolidā€™ cloud. As soon as you authenticate using both your KeepSolid ID and Master password, all data will be synchronized.

 

To add an extra layer of security to your account, we highly recommend you to get started with the two-factor authentication. For more information about the 2FA, check out this page.

Ā 

Here is a sequence diagram of client-server interaction.

Sharing security

Passwarden offers state-of-art data sharing. This feature is based on a Public Key cryptography algorithm and client-side encryption. 

 

Each time you share a Vault, Passwarden requests a Public Key for the account you share this Vault with and generates an additional Ephemeral Key Pair. This key is combined separately with each recipient's Public Key.

 

Thanks to the Elliptic Curve Diffie Hellman algorithm, our password manager generates a Preliminary Key that is created using HKDF-SHA512 with random 256-bit salt and is used to encrypt the Vault Key. Note, that only the encrypted version of the Vault Key is shared with the recipient.

 

More information about secure data sharing you can find here.

Data transfer security

Both the data and metadata, that are transferred from the Passwarden app to API servers, are reliably protected using HTTPS based on the TLS 1.3/1.2 protocols

 

To have a common ground, TLS or Transport Layer Security is a cryptographic protocol that provides privacy and data integrity between two communicating applications and server veriļ¬cation with certiļ¬cate chains.

 

Thus, all transferred info is reliably encrypted and protected from any incidental damage or malicious tampering.

Security of DB servers

Both the Passwarden API and KeepSolid database servers are located on the protected Amazon instances. As the Access policies are enforced both on the side of the Amazon and KeepSolid, you can be sure of your data protection.

Try out our top-notch password manager

Explore all the benefits of Passwarden: securely store your data, safely share your passwords with friends and family, enjoy strong password generation, and try out other handy features.