Protecting your data
Password Boss users trust us to keep their most sensitive information secure and private. Security is a guiding principle at Password Boss and is integral in all decisions we make on product design, development, personnel, security policies and controls. The information on this page is intended to provide transparency about how we protect your data.
Password Boss is built with the premise that any information a user stores in Password Boss should only be accessible to that user, and nobody else. The Master Password is the basis for this security. Each user chooses a Master Password and this becomes the key to locking and unlocking access to your data.
The Master Password is not stored or transmitted anywhere, even Password Boss does not have a copy. Without knowing your Master Password there is no access to the information stored in your Password Boss account. If a user forgets their Master Password, Password Boss employees do not have the ability to reset the Master Password.
Client side data encryption and decryption
All Password Boss user data is encrypted and decrypted locally using AES-256, that same levelof encryption banks and governments use to protect data. This encryption has never been cracked and means that the data you store in Password boss remains safe, secure and private.
All access to user data requires the Master Password. The Master Password is used to generate a unique encryption key using PBKDF2 (OpenSSL’s PKCS5_PBKDF2_HMAC_SHA1). The Password Boss client database is initialized with a unique random salt in the first 16 bytes of the file. This salt is used for key derivation and it ensures that even if two databases are created using the same password, they will not have the same encryption key. This process uses 64,000 iterations for key derivation.
Server verification with certificate pinning
Password Boss protects against rogue websites or malware initiated main-in-the-middle attacks by ensuring that the Password Boss client applications will only communicate with servers that are using known certificates.
Secure sharing of passwords
Password Boss makes it easy for users to share data with people you trust. You have complete control over who receives the information as well as how long they have access to it.
All shared data is secured using a unique key with a randomized IV, encrypting it with 256 bit AES in CBC mode and computing SHA256 HMAC on the ciphertext. The data is then encrypted using 2048 bit RSA keypairs prior to being transferred between users.
Before Password Boss will offer to fill your passwords on a website we ensure that the website you are on is the same website you have stored in your account. If you happen to click on a phishing link that takes you to a site that looks similar to one of your saved accounts, Password Boss will not enter your passwords into the phishing site.
Password Boss allows you to use your fingerprint to open the Password Boss application on your iOS and Android devices. With this feature enabled it makes it fast and easy to securely access your Password Boss account.
Password Boss gives you the ability to add an extra layer of security to your account by enabling 2-factor authentication. After entering your Master Password you will be prompted to enter a code from your authenticator app in order to access your account. How to setup 2-factor authentication.
Password Boss has the ability to copy passwords or other data to the clipboard to allow you to enter the data where you need to. To prevent other applications from accessing the data saved to the clipboard, any time you copy data from Password Boss we automatically clear the items from clipboard after 1 minute.
Password Boss saves your personal information in an encrypted database on each device you add to your account. Your Master Password is needed to unlock and open this encrypted database. If a device on your account is lost or stolen you can remotely delete your data from the lost or stolen device.
User chosen data storage location
Password Boss has data storage locations around the world to provide faster synchronization of data between your devices.
Data privacy concerns for users can also benefit from this feature allowing users to choose where their data is stored. By default users are assigned a storage location close to their physical location. Users can also change the storage location of their data any time they choose. Users in the European Union have their data stored on servers in the EU.
Password Boss will automatically lock to prevent someone from accessing your account if you are away from your computer or mobile device. You can configure the amount of time before locking happens on each device you have.
Password Boss securely communicates with your browser to send your passwords and other data into website forms. Before any data is sent to your browser we confirm that your browser has been signed with a code signing certificate from the manufacturer. Once the browser has been confirmed and verified we send data to the browser using secure communication channels to prevent malware from intercepting the data.
Password Boss ensures that only you can add a new device to your account with a 2-factor authentication process. When you add a new device to your account we will send you an email with a verification code that you need to enter on the new device to verify it is you. Verification codes expire after 30 minutes or 3 failed attempts.
Protecting your account
Choose a unique strong master password
The Master Password that you choose when creating your Password Boss account should be unique and not used anywhere else. Here are some tips to creating a strong Master Password:
- Use a minimum of 8 characters – longer is better
- Use upper case, lower case, symbols, and numbers
- Combine several words to create a very long password
- Do not use common words or phrases
- Do not include your birthday, address, or name
Setup 2-factor authentication
Enabling 2-factor authentication adds a extra layer of security to your Password Boss account. with this feature enabled you will need to enter your Master Password as well as a code from your mobile phone in order to access your Password Boss account.
Install virus and malware protection
Making sure you computer is free from viruses and malware is the first step to protecting your personal information. Malware is changing and evolving at a rapid pace. Once you have installed malware protection software make sure that you are , ensure you install security software on all of your devices and that you keep the software up to date.
Watch out for phishing and malware
Attackers may try to trick you into revealing personal information like passwords, credit card numbers or bank accounts by pretending to be Password Boss or other services you trust. Phishing messages are designed to look genuine, and often copy the format used by the organization the scammer is pretending to represent, including their branding and logo.
- When you contact Password Boss we will never ask you for your Master Password, nor will we send you any email asking you for your Master Password.
Delete lost or stolen devices from your account
If a device on your account is lost or stolen it is important to remove that device from your account to remove your Password Boss account from the device.