Frequently asked questions

Is PwdSafe free?

Yes it's totally free.

Why should I use PwdSafe?

You can easily manage and organize the various passwords you have. You can quickly add new accounts and find the data you need in the blink of an eye. Your data is protected by strong cryptography which is virtually unbreakable and backed up daily. PwdSafe is fast, reliable and ubiquitous. It runs on desktop computers as well as mobile phones or tablets. You can access your passwords everywhere at any time because it is stored in 'the cloud'. You only need to memorize your password and encryption key to access all your data. You can use the password generator to create strong, secure and unique passwords for each of your accounts. Because you do not need to memorize every single password anymore. PwdSafe does that for you.

Who is PwdSafe for?

Practically everyone who needs to manage his or her passwords.

Is PwdSafe secure?

Yes, very secure! PwdSafe uses strong and proven cryptography to ensure the privacy of your data. Namely AES 256 and SSL are used to protect your data.

Can you see my passwords?

No, we can't. Everything is encrypted with your encryption key. The key is never conveyed to PwdSafe.

I lost my encryption key. Can you recover it?

No. Unfortunately not.

I can't login because I lost my password.

No problem. Please use the forgot password form. Enter the email address you chose when you signed up with PwdSafe. We will send you instructions on how to change your password.

How does PwdSafe work?

After you log in, your data is sent from our servers through an encrypted connection to to your computer. When the data has arrived on your computer its still encrypted. Then you need to decrypt the data before it is usable. The decryption happens on your computer. Therefore your key never leaves your computer. When you add new data, the new data is encrypted with your encryption key and afterwards it is is sent over an encrypted connection to our servers where the encrypted data is stored in our database. In the highly unlikely event that someone gets access to our database, the attacker can't do much, because all data is encrypted. What is more, the data of each user is encrypted differently because each user uses a unique key. So an attacker must break the encryption of each user separately. Breaking the encryption of one account with all supercomputers in the world would take a lot longer then the universe exists. The data is encrypted at all times except on your computer when you are logged in and decrypted it with your key. While the data travels through the internet between your computer and our servers, it is doubly protected. The connection between you and us is encrypted as well as the data itself.

Has PwdSafe weaknesses?

The passwords you chose. The encryption algorithms in use are not crackable without exorbitant efforts. So the only chance for an attacker is to perform a "brute force" attack which means the attacker tries to guess your password and encryption key. Often attackers test names or words from dictionaries, so you should chose your password with care. Best use our password generator to generate unguessable passwords. Also be extra careful if you use a foreign device, because a keylogger might run in the background. A defense against keyloggers might be to use the on-screen-keyboard.

Can I backup my passwords?

Yes, there is an option to export your data as CSV file. You can open the file with a lot of Programs, the most popular tools are Microsoft Excel, Notepad or OpenOffice Calc. But be careful with the exported file, because it is not encrypted and therefore easy prey for an attacker.

What is an encryption key?

The encryption key is used to encrypt and decrypt your data. Your login via email/password on the other hand just helps us to know who you are and to verify that it's really you. After you login successfully, we send your encrypted data to you. After you receive your data from us, you can decrypt the data with your key. So your key never leaves your computer and is never conveyed to us. You are the only person in the world how knows the key. This means, if you forget your key, you can't access your data and noone can help you.
Your encrypted data can't be decrypted without your key. Even the NSA can't do it ;) The only chance for an attacker is to guess your key. That is why you should use an encryption key which is not easily guessable.

How to choose a strong encryption key?

The safety of your data mainly depends on the strength of your key. Please refrain from using the name of your dog, cat or favorite movie and do not use any password you ever used as your key. This includes the password you chose at signup for PwdSafe. As a rule of thumb, the longer the key is and the more different characters it contains, (numbers, uppercase, lowercase, special characters) the safer it is.
We suggest to either use a long but easy to remember sentence like for instance 19GreenUnicornsEat42VegetariansIn10Minutes or a (shorter) password with at least 10 characters which includes, uppercase, lowercase and special characters as well as numbers. For instance: k$HdpSd)1#P. Each time you want access your data you must enter your key. So to use a too long key might be cumbersome and to choose a cryptic key might be to hard to remember. It's up to you and your preferences - at least this is the only password you will ever have to remember. Please do not use these examples.
If you decided on your key, write it down on paper and put it somewhere safe, maybe the ring binder where you keep your important documents. Then memorize the key. And please, please do not store the key on your computer.

How do you check whether a password has been breached

Short: We query haveibeenpwned. Long: We create a cryptographic hash of the password and query the password API of haveibeenpwned with the first 5 digits of said hash. Then we get the hashes of all passwords whose first 5 digits match our query. Then we can check whether one of the returned hashes matches the complete hash of the password. If thats the case, we know that the password has been breached. Note that the haveibeenpwned service never knows the password, because it is only fed with the first 5 digits of the 40 digit hash of the password. PwdSafe does not know the password either, because all checks happen in your browser and not on the PwdSafe server.