At Password Boss the security
of your data is our highest priority
Protecting your data
Password Boss users trust us to keep their most sensitive information secure and private. Security is a guiding principle at Password Boss and is integral in all decisions we make on product design, development, personnel, security policies and controls. The information on this page is intended to provide transparency about how we protect your data.
Password Boss is built with the premise that any information a user stores in Password Boss should only be accessible to that user, and nobody else. The Master Password is the basis for this security. Each user chooses a Master Password and this becomes the key to locking and unlocking access to your data.
The Master Password is not stored or transmitted anywhere, even Password Boss does not have a copy. Without knowing your Master Password there is no access to the information stored in your Password Boss account. If a user forgets their Master Password, Password Boss employees do not have the ability to reset the Master Password.
Client side data encryption and decryption
All Password Boss user data is encrypted and decrypted locally using AES-256, that same level of encryption banks and governments use to protect data. This encryption has never been cracked and means that the data you store in Password boss remains safe, secure and private.
All access to user data requires the Master Password. The Master Password is used to generate a unique encryption key using PBKDF2 (OpenSSL’s PKCS5_PBKDF2_HMAC_SHA1). The Password Boss client database is initialized with a unique random salt in the first 16 bytes of the file. This salt is used for key derivation and it ensures that even if two databases are created using the same password, they will not have the same encryption key. This process uses 64,000 iterations for key derivation.
Server verification with certificate pinning
Secure sharing of passwords
Password Boss makes it easy for users to share data with people you trust. You have complete control over who receives the information as well as how long they have access to it.
All shared data is secured using a unique key with a randomized IV, encrypting it with 256 bit AES in CBC mode and computing SHA256 HMAC on the ciphertext. The data is then encrypted using 2048 bit RSA keypairs prior to being transferred between users.
User chosen data storage location
Password Boss has data storage locations around the world to provide faster synchronization of data between your devices.
Data privacy concerns for users can also benefit from this feature allowing users to choose where their data is stored. By default users are assigned a storage location close to their physical location. Users can also change the storage location of their data any time they choose. Users in the European Union have their data stored on servers in the EU.