Privacy Statement

Your safety, as well as the safety of your data is critical to us. Passwork followes these basic safety principles:

  1. All critical data is encrypted in your browser, and is not transmitted to the server in clear Passwork. This means that no one but you, as well as those to whom you have granted access to your groups in Passwork, cannot gain access to encrypted information. Passwork employees do not have access to your data.
  2. We do not collect and store your private and personal data.
  3. We do not provide third party access to our servers, we do not share any user data entered in forms.
  4. Your data undergo a series of additional measures (server encryption , etc).
  5. Employees' access to the servers is strictly regulated and Passwork limited.

The basic principles of Passwork

  1. Server already receives the encrypted data.
  2. The encryption key is stored on the client's browser and never transmitted to the server.
  3. All data operations occur on the clients system (encryption), and the server just stores them.

Secret word (master password) — This is the key that encrypts all data on the client. This secret word is stored in the browser and is not transmitted to the server.

Passwork uses groups to organize a collaboration. Each user can create a group and invite other users, as well as set up access, etc. Passwords are stored in groups.

Each group has its own 256-bit password (group's password). All data is encrypted by the group's password.

In turn, the group's password is encrypted by the secret word (master password), and its encrypted version is stored on the server along with the user data.

Registration and authorization password

At registration, the user specifies the e-mail and authorization password. The authorization password is only needed to log in. If you forget it, it is easily restored.

Because the data is encrypted by a secret word, but not an authorization password, the knowledge of the authorization password does not allow access to stored passwords. Therefore, after the restoration of the authorization password, you will be asked to specify the secret word.

If your authorization password is stolen, it is certainly an inconvenience, but fortunately, the attacker does not have access to your passwords, as they will not know the secret word.

Because the secret word is stored in the browser, the system will require the user to enter the secret word for each operation (if it cannot find it, for example, if you use a different computer or browser). You can decide not to keep the secret word in the browser (for example, if you use someone else's computer).

The secret word is never sent to the server, so we cannot restore it. If you forget the secret word, you lose access to all your data.


In order to help you get started with Passwork, the secret word is generated based on an authorization password at the time of registration. Once the user logs into the system, he sees a notice to improve security and safety and think up a new secret word.

We strongly recommend that you choose and enter a new secret word rather than using the authorization password.

The complexity of passwords

We believe that all users understand how important the data is that they are going to store in the system, that's why do not impose any restrictions on the complexity of the authorization password and secret word.

Creation of a new group

  1. The user clicks the "Create Group".
  2. The system generates a group password - random 256-bit key (on the client).
  3. Group's password is encrypted with the secret word.
  4. The encrypted password is stored on the server.

An invitation to the group

  1. The user specifies the e-mail of the person he wants to grant access to the group.
  2. The encrypted group password is loaded from the server, gets decrypted by the secret word, and is displayed to the user.
  3. The user must pass the group password to the recipient using the 3rd party channel (if both users are already in the system, you can pass group password by transferring them also, for details see paragraph «RSA encryption»).
  4. If a user with an e-mail address that is not in the system, an e-mail will arrive with a link that will navigate them through the Passwork quick registration.
  5. User will see an invitation to join the group and he will need to specify the group's password.
  6. Group password will be encrypted by the secret word of the second user, and then stored on the server.

Password sending

  1. When you send a password, the system creates a copy and sends it to the recipient.
  2. If the recipient is not registered, it will direct them to register.
  3. If the user is in the system and it has generated a pair of RSA keys, the password will be sent encrypted:
    1. the client receives the sender's public key
    2. the sender encrypts the password and sends it to the server
    3. recipient using the private key decrypts the password on the client
  4. The user can specify a one-time code for additional protection during password transmission (it is actual if you do not use RSA encryption):
    1. password is encrypted by one-time code on the client of the sender;
    2. the sender must inform the recipient of the one-time code by third communication channel.
  5. If RSA keys are not generated, or the recipient is not in the system, and one-time code is not specified, then
    1. the password is sent to the server in clear text and encrypted on the server before being stored in the database
    2. after receiving a password, it is deleted from the database

Password saving

  1. The client receives the encrypted group password from the server.
  2. The client decrypts the group password using the secret word.
  3. The client encrypts the data using the group password.
  4. Encrypted data is sent to the server.

Obtaining a password from a group

  1. The client receives the encrypted group password from the server.
  2. The client decrypts the group password using the secret word.
  3. The client decrypts the password using group password.


  1. There are the following rights within a group:
    1. Administrator — full access
    2. Write — full access to passwords, without the ability to invite and manage users
    3. Read only — read-only access
  2. For easy storage of passwords, users can create folders within a group and assign them levels of access:
    1. Full — full access to passwords of a folder
    2. Read only — read-only access to passwords of a folder
    3. No access — an user has no access to the folder (even to view it)
  3. Access to a folder takes precedence over access to the group.

Keeping the secret word in a browser

  1. Upon registration, each user gets a randomly generated code from the server.
  2. When the client receives the the random code, he uses it to generate unique password.
  3. A secret word is encrypted, and stored in a local repository browser.
  4. Thus, further analysis of the local storage does not decrypt the secret word.
  5. Users may decide not to store a secret word in the local storage. In this case, the system asks the secret word for each operation.

RSA encryption

  1. During authorization and login to the system, a RSA pair is generated.
  2. The public key is sent to the server
  3. The private key is encrypted with a secret word, and sent to the server
  4. All operations with the data within a web-service between registered users are on a standard encryption scheme RSA.
At this moment, features which are related to RSA are in the testing stage, and are not deployed in the production version.