- Q1: Why should I trust Passvault with my passwords?
- Q2: What happens if Passvault gets hacked?
- Q3: Can Passvault see my passwords?
- Q4: Is my Passvault master password stored locally?
- Q5: What do I do if I don't recognize a new device logging into Passvault?
- Q6: How can I protect my Passvault account from brute-force attacks?
Q1: Why should I trust Passvault with my passwords? #
A: You can trust us for a few reasons:
- Vaultwarden is open source software. All of our source code is hosted on GitHub and is free for anyone to review. Thousands of software developers follow Bitwarden’s source code projects (and you should too!).
- Passvault is audited by reputable third-party security firms as well as independent security researchers.
- Passvault does not store your passwords. Passvault stores encrypted versions of your passwords that only you can unlock. Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.
- Passvault has a reputation. Passvault is used by millions of individuals and businesses. If we did anything questionable or risky, we would be out of business!
Q2: What happens if Passvault gets hacked? #
A: Passvault takes extreme measures to ensure that its websites, applications, and cloud servers are secure. Passvault uses Microsoft Azure managed services to manage server infrastructure and security, rather than doing so directly.
Q3: Can Passvault see my passwords? #
A: No.
Your data is fully encrypted and/or hashed before ever leaving your local device, so no one from the Passvault team can ever see, read, or reverse engineer to get to your real data. Passvault servers only store encrypted and hashed data. For more information about how your data is encrypted.
Q4: Is my Passvault master password stored locally? #
A: No.
We do not keep the master password stored locally or in memory. Your encryption key (derived from the master password) is kept in memory only while the app is unlocked, which is required to decrypt data in your vault. When the vault is locked, this data is purged from memory.
Q5: What do I do if I don’t recognize a new device logging into Passvault? #
A: If the IP address of a new device doesn’t match any known IP addresses (home network, work network, mobile network, and so on), change your master password and make sure two-step login is enabled for your account. You should also deauthorize sessions from the Account settings page of your web vault to force logout on all devices. If you think your vault items might be compromised, you should change your passwords.
Q6: How can I protect my Passvault account from brute-force attacks? #
A: A brute-force attack is when a malicious actor cycles through a combination of weak and short passwords in an attempt to gain access to your account. Passvault offers a few ways you can protect yourself from these potential attacks:
- Have a long and unique master password. Bitwarden requires a 12 character minimum to increase account security.
- Set up 2FA on all Passvault accounts to add an additional layer of security.
- Passvault will require CAPTCHA verification after 9 failed login attempts from an unknown device.