How Secure Is PassCryp?

Key derivation: Argon2id with 64 MB memory cost, 3 iterations, parallelism 1. Salt is a per-user random 16 bytes stored alongside the wrapped vault key. The output is a 256-bit wrapping key used only to encrypt and decrypt the vault key — it never directly encrypts vault items.

Vault key wrapping: AES-256-GCM with a random nonce. The wrapped vault key is stored as base64 ciphertext on our servers; without your master password it cannot be unwrapped.

Item encryption: AES-256-GCM with a fresh 96-bit nonce per item per write. Item ciphertext, nonce, and authentication tag are concatenated into a single blob that syncs to the server. Browser uses Web Crypto subtle.encrypt — hardware-accelerated, audited natively.

In scope: server compromise (database, file storage, API), insider threats (PassCryp engineers cannot read your vault), network adversaries (TLS plus E2EE), and offline brute force of stolen vaults (Argon2id raises the cost per guess from microseconds to ~300 ms).

Out of scope: a compromised endpoint (if your laptop has keylogger malware, no password manager helps), forgotten master password without recovery kit (unrecoverable by design — that's what zero-knowledge means), and physical coercion (if you're forced to type your master password, nothing protects you).

Published: full security whitepaper with key derivation parameters, encryption modes, threat model, and known limitations. Sub-processors list with hosting providers, data regions, and processing purposes. Browser extension source on GitHub. SBOM (software bill of materials) for the web app.

Audited: every release is reviewed by the security team. Dependency updates touching cryptography or auth get a separate review. We are working toward an annual third-party penetration test; results will be summarized publicly when available.