Home

Version 4 Beta

Learn
Features
Video

Download
Purchase
Site Licensing

Support
Knowledge Base
Tutorials
Contact

Community
Blog
Testimonials

Password Vault Security System

Note: This article is also available in the Password Vault help file.

Password Vault boasts one of the strongest and most flexible security systems of any personal password manager.

Password Vault Encryption System

Password Vault 3 uses the Advanced Encryption Standard (AES) algorithm in Chain Block Cipher (CBC) mode with a 256-bit key for data encryption. The algorithm is implemented in the System.Security.Cryptography.RijndaelManaged class of the Microsoft .NET Framework 1.1.

The Advanced Encryption Standard, or Rijndael, replaced the Data Encryption Standard (DES) as the U.S. government standard for encrypting classified and non-classified data in 2001. It has been certified to encrypt documents classified as high as TOP SECRET (when used with a 192- or 256-bit key). The Rijndael algorithm was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and in 1998, was submitted as a candidate for the new encryption standard.

Rijndael is a symmetric block cipher. A symmetric algorithm is one in which the same key is used for encryption and decryption—in Password Vault, a 256-bit key is used. A block cipher is one in which data is encrypted in blocks (in the case of Rijndael, blocks of 128 bits each), rather than as a continuous stream. In Password Vault, Rijndael is used in Chain Block Cipher (CBC) mode, meaning that a block of data is encrypted using not only the key, but also the ciphertext of the previously encrypted block. The purpose of this scheme is to provide increased protection in situations where several identical blocks of data are encrypted, which otherwise would all encrypt to the same ciphertext. In order for the CBC mode to work, a special block is required to encrypt the first data block, since there is no previous block. This special block is called the initialization vector, or IV.

In Password Vault, your key is derived from two sources: 1) your Vault file password, and 2) your salt—a random sequence of bytes which is stored encrypted in your Vault file. Your IV comes from one of two sources, depending on your preferences. It may be derived from your random five-digit security code, which must be memorized along with your password. Alternatively, a default IV is used if you do not want to memorize a security code. The difference in security between a random IV from a memorized security code and the default IV is not terribly significant because the IV is not nearly as critical to the encryption as the key; thus, using the default IV will not considerably compromise the security of your Vault file. Nevertheless, using a random IV gives you a little extra security that you might find important.

Data Security in Password Vault

In Password Vault, your passwords are not only encrypted in your Vault file on your hard drive, but the five sensitive fields (Username, Organization, Password, Email, and Comments) of each password record are also encrypted in memory (using your same key and IV) while your Vault file is open. When your key and IV reside in memory, they are encrypted (also by AES encryption) with a random key and IV that reside, unencrypted, in memory. Password Vault will wipe your key and IV at a certain length of time after they have been entered in memory. The exact length of time is up to you. It may be as short as 100 milliseconds (meaning your key and IV will virtually never reside in memory), as long a 3 hours, or it may be an infinite length of time (meaning your key and IV will never be wiped from memory). You can set this interval on the Security tab of the "Options" dialog box. You may also wipe your key and IV from memory manually any time you wish. Once your key and IV have been wiped from memory, you will have to re-enter your password and security code in order to view or change a password's properties, AutoComplete a password, search your passwords, or save your Vault file.

To manually wipe your key and IV from memory:

From the main Password Vault window:
Select Wipe Key and IV from Memory from the Tools menu, or press F12, or press the Wipe Key and IV from Memory toolbar button.

- or -

From the system tray menu:
Select the Wipe Key and IV from Memory menu item.

Note: In Password Vault, when data is wiped from memory, it is first overwritten with zeroes, and then its memory is deallocated.

Additional Security System Features

  • Require password to restore from system tray, Require password to AutoComplete passwords, Require password to unmask Password field
    You can specify that your password and security code be required in order to restore the main Password Vault window from the system tray, AutoComplete a password, or unmask the Password field, regardless of whether your key and IV are already in memory. These three options are available on the Security tab of the "Options" dialog box.

  • Mask Password field
    You can mask the Password field on the main Password Vault window with circles to prevent others from obtaining your passwords simply by looking over your shoulder. To mask or unmask the Password field, select Mask Password Field from the Tools menu, or press F9, or press the Mask Password Field toolbar button.

  • Clear Clipboard
    You can clear the system Clipboard after completing a Copy/Paste AutoComplete operation.

    To clear the system Clipboard:

    From the main Password Vault window:
    Select Clear Clipboard from the Tools menu, or press the Clear Clipboard toolbar button.

    - or -

    From the system tray menu:
    Select the Clear Clipboard menu item.

    You can also set the Clipboard to clear automatically after a delay when configuring Copy/Paste AutoComplete for a password.