Privacy Statement

Your safety, as well as the safety of your data is critical to us. Passwork follows these basic safety principles:

  1. All critical data is encrypted in your browser, and is not transmitted to the server in clear. This means that no one but you, as well as those to whom you have granted access to your vaults in Passwork, can gain access to encrypted information. Passwork employees do not have access to your data.
  2. We do not collect and store your private and personal data.
  3. We do not provide third party access to our servers, we do not share any user data entered in forms.
  4. Your data undergo a series of additional measures (server encryption etc.).
  5. Employees' access to the servers is strictly regulated and Passwork limited.

The basic principles of Passwork

  1. Server receivs data that is already encrypted.
  2. The encryption key is stored on the client's browser and never transmitted to the server.
  3. All data operations occur on the client system (encryption), and the server just stores the data.

Master password — This is the key that encrypts all data on the client. This master password is stored in the browser and is not transmitted to the server.

Passwork uses vaults to organize a collaboration. Each user can create a vault and invite other users, as well as set up access, etc. Passwords are stored in vaults.

Each vault has its own 256-bit vault invitation code (the vault password). All data is encrypted with the vault invitation code.

In turn, the vault invitation code is encrypted with the master password, and its encrypted version is stored on the server along with the user data.

Registration and authorization password

At registration, the user specifies the e-mail and authorization password. The authorization password is only needed to log in. If you forget it, it is easily restored.

Because the data is encrypted with the master password, but not the authorization password, the knowledge of the authorization password does not allow access to stored passwords. Therefore, after the restoration of the authorization password, you will be asked to specify the master password.

If your authorization password is stolen, it is certainly an inconvenience, but fortunately, the attackers do not have access to your passwords, as they will not know the master password.

Because the master password is stored in the browser, the system will require the user to enter the master password for each operation (if it cannot find it, for example, if you use a different computer or browser). You can decide not to keep the master password in the browser (for example, if you use someone else's computer).

The master password is never sent to the server, so we cannot restore it. If you forget the master password, you lose access to all your data.

Important

In order to help you get started with Passwork, the master password is generated based on your authorization password at the time of registration. Once the user logs into the system, the user sees a notice to improve security and safety and enter a new master password.

We strongly recommend that you choose and enter a new master password rather than using the authorization password.

The complexity of passwords

We believe that all users understand how important the data is that they are going to store in the system. That is why we do not impose any restrictions on the complexity of the authorization password and master password.

Creation of a new vault

  1. The user clicks "Create Vault".
  2. The system generates a vault invitation code - random 256-bit key (on the client).
  3. The vault invitation code is encrypted with the master password.
  4. The encrypted invitation code is stored on the server.

An invitation to the vault

  1. The user specifies the e-mail of the person to be granted access to the vault.
  2. The encrypted vault invitation code is loaded from the server, gets decrypted by the master password, and is displayed to the user.
  3. The user must pass the vault invitation code to the recipient using a 3rd party channel (if both users are already in the system, you can pass the vault invitation code by transferring it also, for details see paragraph «RSA encryption»).
  4. If the e-mail address is not in the system, an e-mail will be sent with a link that will navigate the person through the Passwork quick registration.
  5. User will see an invitation to join the vault and will need to specify the vault invitation code.
  6. The vault invitation code will be encrypted with the master password of the second user, and then stored on the server.

Password sending

  1. When you send a password, the system creates a copy and sends it to the recipient.
  2. If the recipient is not registered, the recipient will be directed to register.
  3. If the user is in the system and it has generated a pair of RSA keys, the password will be sent encrypted:
    1. the sender receives the receiver's public key
    2. the sender encrypts the password and sends it to the server
    3. the recipient decrypts the password using the private key on the client
  4. The user can specify a one-time code for additional protection during password transmission (it is actual if you do not use RSA encryption):
    1. password is encrypted with the one-time code on the client of the sender;
    2. the sender must inform the recipient of the one-time code by using a third party communication channel.
  5. If RSA keys are not generated or the recipient is not in the system, and one-time code is not specified, then
    1. the password is sent to the server in clear text and encrypted on the server before being stored in the database
    2. after receiving a password, it is deleted from the database

Password saving

  1. The client receives the encrypted vault invitation code from the server.
  2. The client decrypts the vault invitation code using the master password.
  3. The client encrypts the data using the vault invitation code.
  4. Encrypted data is sent to the server.

Obtaining a password from a vault

  1. The client receives the encrypted vault invitation code from the server.
  2. The client decrypts the vault invitation code using the master password.
  3. The client decrypts the password using the vault invitation code.

Access

  1. There are the following rights within a vault:
    1. Administrator — full access
    2. Write — full access to passwords, without the ability to invite and manage users
    3. Read only — read-only access
  2. For easy storage of passwords, users can create folders within a vault and assign them levels of access:
    1. Full — full access to passwords of a folder
    2. Read only — read-only access to passwords of a folder
    3. No access — an user has no access to the folder (even to view it)
  3. Access to a folder takes precedence over access to the vault.

Keeping the master password in a browser

  1. Upon registration, each user gets a randomly generated code from the server.
  2. When the client receives the the random code, it is used to generate a unique password.
  3. The master password is encrypted and stored in a local repository of the browser.
  4. Thus, further analysis of the local storage does not decrypt the master password.
  5. Users may decide not to store the master password in the local storage. In this case, the system asks the master password for each operation.

RSA encryption

  1. During authorization and login to the system, a RSA pair is generated.
  2. The public key is sent to the server
  3. The private key is encrypted with the master password, and sent to the server
  4. All operations with the data within a web-service between registered users are on a standard encryption scheme RSA.
At this moment, features which are related to RSA are in the testing stage, and are not deployed in the production version.