Security FAQs

Category: Security
On this page:

    This article contains Frequently Asked Questions (FAQs) regarding Security.

    Q: Why should I trust PassageWay with my passwords?

    A: You can trust us for a few reasons:

    1. PassageWay is open source software. All of our source code is hosted on GitHub and is free for anyone to review. Thousands of software developers follow Bitwarden’s source code projects (and you should too!).
    2. PassageWay is audited by reputable third-party security firms as well as independent security researchers.
    3. PassageWay does not store your passwords. PassageWay stores encrypted versions of your passwords that only you can unlock. Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.
    4. PassageWay has a reputation. PassageWay is used by millions of individuals and businesses. If we did anything questionable or risky, we’d be out of business!

    Still don’t trust us? You don’t have to. Open source is beautiful. You can easily host the entire PassageWay stack yourself. You control your data.

    Q: What happens if PassageWay gets hacked?

    A: PassageWay takes extreme measures to ensure that its websites, applications, and cloud servers are secure. PassageWay uses Microsoft Azure managed services to manage server infrastructure and security, rather than doing so directly.

    If for some reason PassageWay were to get hacked and your data was exposed, your information is still protected due to strong encryption and one-way salted hashing measures taken on your Vault data and master password.

    Q: Can PassageWay see my passwords?

    A: No.

    Your data is fully encrypted and/or hashed before ever leaving your local device, so no one from the PassageWay team can ever see, read, or reverse engineer to get to your real data. PassageWay servers only store encrypted and hashed data. For more information about how your data is encrypted, see Encryption.

    Q: Is my PassageWay master password stored locally?

    A: No.

    We do not keep the master password stored locally or in memory. Your encryption key (derived from the master password) is kept in memory only while the app is unlocked, which is required to decrypt data in your vault. When the vault is locked, this data is purged from memory.

    We also reload the application’s renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application’s encrypted data to be completely safe while the application is in a locked state.

    Q: What do I do if I don’t recognize a new device logging into PassageWay?

    A: If the IP address of a new device doesn’t match any known IP addresses (home network, work network, mobile network, etc.), change your master password and make sure Two-step Login is enabled for your account. You should also Deauthorize Sessions from the Settings page of your Web Vault to force logout on all devices. If you think your Vault items might be compromised, you should change your passwords.

    Q: What is PassageWay compliant with? What certifications do you have?

    A: PassageWay is compliant with the following policies:

    • GDPR. Read more here.
    • CCPA. Read more here.
    • HIPAA. Read more here.
    • SOC 2 Type 2. Read more here.
    • SOC 3. Read more here.

    For more information, please visit our Security and Compliance page.

    Q: What third-party services, libraries or identifiers are used in my PassageWay account?

    A: In the Mobile apps, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices. In the Web Vault, Stripe and PayPal scripts are used for payment processing only on payment pages.

    For those who prefer to exclude all 3rd party communication, Firebase and HockeyApp are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted PassageWay server will disable using the push relay server.

    PassageWay takes user security and privacy seriously. PassageWay maintains secure, end-to-end encryption with zero knowledge of your encryption key. As a company focused on open source, we invite anyone to review our library implementations at any time on GitHub.

    Q: How long does PassageWay cache session information?

    A: Great question! The answer depends on the particular piece of information and client application:

    • Offline Vault sessions will expire after 30 days.
      • Except for mobile client applications, which will expire after 90 days.
    • Two-step Login Remember Me selections will expire after 30 days.
    • Directory Connector sync cache will be cleared after 30 days.
    • Organization invites will expire after 5 days. Self-hosted customers can configure this using an environment variable.

    Questions Regarding Specific Client Apps

    Q: What data does PassageWay use from client applications?

    A: PassageWay uses Administrative Data to provide the PassageWay Service to you. As indicated by some App Privacy reports, users provide the following information on account creation:

    • Your Name (optional).
    • Your Email Address (used for Email Verification, Account Administration, and communication between you and PassageWay).

    Additionally, a PassageWay-generated device-specific GUID (sometimes referred to as a Device ID) is assigned to your device. This GUID is used to alert you when a new device logs into your Vault.

    Q: Can you explain Electron App Security?

    A: An often shared article suggests a flaw with Electron apps, however the referenced attack requires a user to have a compromised machine, which of course would allow a malicious attacker to compromise data on that machine. As long as you have no reason to believe the device you are using has been compromised, your data is safe.

    Q: How does PassageWay secure Browser extensions?

    Extensions are safe to use if they are developed correctly. Due to the nature of how browser extensions work there is always a chance for a bug to arise. We take extreme care and caution when we are developing our extensions and add-ons, we keep our eyes and ears out for anything going on in the industry, and we conduct security audits to keep many eyes on everything.

    Q: What is the Browser Extension asking permission for?

    A: On installation, the Browser Extension will ask permission to access your clipboard in order to use the scheduled clipboard clear function (accessed in the Options menu).

    When this optional feature is enabled, clipboard clear will clear any PassageWay entries made by or filled on a configurable interval. Access to the clipboard allows PassageWay to do this without removing a clipboard item not associated from the PassageWay application by checking the last-copied item again the last-copied item from your Vault. Please note, this feature is off by default.

    Q: Why does the Browser Extension need nativeMessaging permission?

    A: Version 1.48.0 of the browser extension enables Biometric Unlock for Browser Extensions.

    This permission, also known as nativeMessaging, is safe to accept and allows the browser extension to communicate with the PassageWay desktop app, which is required to enabled Unlock with Biometrics.

    Note that when your browser updates to this version, you may be asked to accept a new permission called “communicate with cooperating native applications” (in Chromium-based browsers), or “exchange messages with programs other than Firefox.” If you don’t accept this permission, the extension will remain disabled.

    Q: Is PassageWay FIPS Compliant?

    A: PassageWay uses FIPS compliant libraries and cryptography, however the PassageWay platform has not performed any FIPs certifications. Most FIPS installations of PassageWay leverage the self-hosting option to make evaluations (i.e. Cybersecurity Maturity Model Certification) easier.

    Q: Can I restrict access to PassageWay to certain devices?

    A: You can use custom firewall and NGINX configurations as well as VPN/VLAN access control to determine the device types and/or network layer access for your PassageWay instance. You may also use other tools such as device-level certificates to control specific device access to the PassageWay instance as well.