Security

At Password Boss the security
of your data is our highest priority

How we protect your data

Password Boss has multiple layers of security to protect your account.

Security features to keep you safe

Our extensive security features keep your data safe and secure.

How to protect your account

Steps you can take to protect your Password Boss account.

Protecting your data

Introduction

Password Boss users trust us to keep their most sensitive information secure and private. Security is a guiding principle at Password Boss and is integral in all decisions we make on product design, development, personnel, security policies and controls. The information on this page is intended to provide transparency about how we protect your data.

Master password

Password Boss is built with the premise that any information a user stores in Password Boss should only be accessible to that user, and nobody else. The Master Password is the basis for this security. Each user chooses a Master Password and this becomes the key to locking and unlocking access to your data.

The Master Password is not stored or transmitted anywhere, even Password Boss does not have a copy. Without knowing your Master Password there is no access to the information stored in your Password Boss account. If a user forgets their Master Password, Password Boss employees do not have the ability to reset the Master Password.

Client side data encryption and decryption

All Password Boss user data is encrypted and decrypted locally using AES-256, that same level of encryption banks and governments use to protect data. This encryption has never been cracked and means that the data you store in Password boss remains safe, secure and private.

All access to user data requires the Master Password. The Master Password is used to generate a unique encryption key using PBKDF2 (OpenSSL’s PKCS5_PBKDF2_HMAC_SHA1). The Password Boss client database is initialized with a unique random salt in the first 16 bytes of the file. This salt is used for key derivation and it ensures that even if two databases are created using the same password, they will not have the same encryption key. This process uses 64,000 iterations for key derivation.

Server verification with certificate pinning

Password Boss protects against rogue websites or malware initiated main-in-the-middle attacks by ensuring that the Password Boss client applications will only communicate with servers that are using known certificates.

Secure sharing of passwords

Password Boss makes it easy for users to share data with people you trust. You have complete control over who receives the information as well as how long they have access to it.

All shared data is secured using a unique key with a randomized IV, encrypting it with 256 bit AES in CBC mode and computing SHA256 HMAC on the ciphertext. The data is then encrypted using 2048 bit RSA keypairs prior to being transferred between users.

Security features

Phishing protection

Before Password Boss will offer to fill your passwords on a website we ensure that the website you are on is the same website you have stored in your account. If you happen to click on a phishing link that takes you to a site that looks similar to one of your saved accounts, Password Boss will not enter your passwords into the phishing site.

Biometrics

Password Boss allows you to use your fingerprint to open the Password Boss application on your iOS and Android devices. With this feature enabled it makes it fast and easy to securely access your Password Boss account.

2-Factor authentication

Password Boss gives you the ability to add an extra layer of security to your account by enabling 2-factor authentication. After entering your Master Password you will be prompted to enter a code from your authenticator app in order to access your account. How to setup 2-factor authentication.

Copy protection

Password Boss has the ability to copy passwords or other data to the clipboard to allow you to enter the data where you need to. To prevent other applications from accessing the data saved to the clipboard, any time you copy data from Password Boss we automatically clear the items from clipboard after 1 minute.

Theft protection

Password Boss saves your personal information in an encrypted database on each device you add to your account. Your Master Password is needed to unlock and open this encrypted database. If a device on your account is lost or stolen you can remotely delete your data from the lost or stolen device.

User chosen data storage location

Password Boss has data storage locations around the world to provide faster synchronization of data between your devices.

Data privacy concerns for users can also benefit from this feature allowing users to choose where their data is stored. By default users are assigned a storage location close to their physical location. Users can also change the storage location of their data any time they choose. Users in the European Union have their data stored on servers in the EU.

Auto lock

Password Boss will automatically lock to prevent someone from accessing your account if you are away from your computer or mobile device. You can configure the amount of time before locking happens on each device you have.

Browser verification

Password Boss securely communicates with your browser to send your passwords and other data into website forms. Before any data is sent to your browser we confirm that your browser has been signed with a code signing certificate from the manufacturer. Once the browser has been confirmed and verified we send data to the browser using secure communication channels to prevent malware from intercepting the data.

Device verification

Password Boss ensures that only you can add a new device to your account with a 2-factor authentication process. When you add a new device to your account we will send you an email with a verification code that you need to enter on the new device to verify it is you. Verification codes expire after 30 minutes or 3 failed attempts.

Privacy policy

You own your data and we are committed to keeping it private. Our privacy policy clearly describes wen we collect your information and the steps we take to protect it.

Protecting your account

Choose a unique strong master password

The Master Password that you choose when creating your Password Boss account should be unique and not used anywhere else. Here are some tips to creating a strong Master Password:

Setup 2-factor authentication

Enabling 2-factor authentication adds a extra layer of security to your Password Boss account. with this feature enabled you will need to enter your Master Password as well as a code from your mobile phone in order to access your Password Boss account.

Install virus and malware protection

Making sure you computer is free from viruses and malware is the first step to protecting your personal information. Malware is changing and evolving at a rapid pace. Once you have installed malware protection software make sure that you are , ensure you install security software on all of your devices and that you keep the software up to date.

Watch out for phishing and malware

Attackers may try to trick you into revealing personal information like passwords, credit card numbers or bank accounts by pretending to be Password Boss or other services you trust. Phishing messages are designed to look genuine, and often copy the format used by the organization the scammer is pretending to represent, including their branding and logo.

Delete lost or stolen devices from your account

If a device on your account is lost or stolen it is important to remove that device from your account to remove your Password Boss account from the device.