PassHub Security

Strong multifactor authentication.
No usernames or passwords

PassHub is unique because your account is not based on a username or a master password. Instead, PassHub implements WWPass™ authentication technology using the free WWPass Key app. The WWPass Key is a cryptographic authenticator which enables you to have ‘one key for many doors’ (one-to-many) without using a password or even username. Aside from the free mobile app, it also comes in other forms including smartcards or USB tokens. No matter what form you prefer, all are ‘something you have’ and are used as the first factor when logging in. The WWPass Key itself is protected by a PIN, which is known only to you. You may also turn on the biometric features of the WWPass Key app to use a fingerprint or facial recognition instead of entering a PIN. Because of the sensitive nature of the information most people store in PassHub, additional security is always required when accessing your account.

Client-side and end-to-end encryption

Along with WWPass™ multi-factor authentication, PassHub.net also features client-side encryption. Client-side encryption means that all sensitive data is ciphered with a WWPass Key in the user browser. No meaningful information is accessible on the server side. We use asymmetric cryptography to send crypto keys to your peers, thus providing end-to-end encryption. When a user signs in, the browser gets an encryption key, specific for each user-web site pair.

What does all this mean for you? The only way to know that you have true client-side encryption is to be physically in possession of the encryption key. With the WWPass Key, you are the only one who is ever in possession of your encryption key. Without this key, no one else in the world can decrypt your private data, not even employees of WWPass or PassHub. If you currently store sensitive data in using a service that requires you to login with a username and password, there is a very high probability that they are not providing you with client-side encryption. This means that employees of that company, or hackers who gain unauthorized access to that company, could download and decrypt your private data without you ever knowing.

High entropy

Unlike other password managers, PassHub does not use encryption key derivation based on passwords (PBKDF). In a WWPass Key, authentication credentials are totally independent of data encryption mechanism, thus providing 256-bit entropy for symmetric keys. High entropy means it is practically impossible to guess or brute-force the secret keys.

What does this mean for you? If you’re using a website or service that requires you to login with a password, they are likely using your password to create an encryption key. The key that they create using this method is much weaker than those used by WWPass Keys. They are also vulnerable to people guessing, cracking, intercepting or being stolen by phishing. Worse yet, if you are required to login with a username (often an email address), and your username is publicly known (like email often is), then someone would know exactly where to start guessing if they want to break into your account. The best way to prevent this is by leaving usernames and passwords out of the login process -and WWPass Key does exactly that.

Standard and open source cryptography

PassHub employs Web Crypto JavaScript API, which is specified by W3C. The Web Crypto API establishes new standards for security and speed for in-browser cryptography. While all modern browsers support this spec, PassHub relies on open source Forge crypto library as a fallback on older devices.

What does this mean for you? “Open Source” software like PassHub is available for code review and continual vulnerability analysis from any security expert in the world. Many companies do not make their software open source, precisely because of the level of scrutiny that they will face from experts around the world. We are confident in the technology we build, and understand the importance of getting actionable feedback from these experts in order to continuously improve PassHub and stay ahead of emerging security threats.

Standard encryption algorithms

PassHub only uses NIST approved algorithms, which include: AES-GCM 256 bits and RSA-OAEP.

What does this mean for you? Some security solution providers attempt to offer “snake oil cryptography,” using terms like “military grade” or “unhackable” to entice prospective users onto their platforms. If a vendor is using these terms, it is a huge red flag. Worse yet, some vendors claim to use totally new encryption algorithms. This is a terrible idea, since they are not well tested or understood. In a best case scenario, when the new algorithm encounters a problem you will not be able to decrypt any of your data and it will all be lost. In a worst case scenario, hackers will identify a vulnerability in the new algorithm before the developers who built it and everyone’s data will be stolen. Industry standard encryption algorithms are more than sufficient, so avoid anyone who claims to offer a newer, better one.

Additionally, an important and often overlooked factor in the type of encryption used is the actual implementation and architecture of that encryption. Sometimes a company may claim to use standard encryption algorithms, but has implemented them in a way which renders them useless. Think of it like locking your car doors but leaving all the windows rolled down.

Web service or on-prem deployment

Passhub.net is a free web service available to every individual. The service does not collect any private information. Each user only needs an anonymous WWPass Key to create a Passhub account.

For companies where security policy prohibits external services, a custom dedicated version of PassHub is available for installation on company premises or in the company’s cloud. With the custom dedicated version of PassHub, user access and activity are controlled by a company site administrator. As a protection against Insider breaches and abuse of admin privileges, the site admin cannot read user sensitive data.

What does this mean for you? If you need PassHub only for personal use, you are welcome to create an account, which completely protects your privacy through an approach called “zero knowledge,” which gives you total anonymity. If you use PassHub this way, WWPass and PassHub never need to know who you are. However, if you need PassHub for work, you can get a dedicated version for your company, which has additional features tailored to the unique needs of businesses. There are multiple ways this dedicated version can be set up, and we’d be happy to discuss them with you if you’re interested.

High availability

PassHub features a distributed server architecture with database replication and multi-head Web servers to provide reliable 24 x 7 availability.

What does this mean for you? You will always be able to access PassHub either from your phone or your desktop, anywhere in the world with an internet connection. Any data you store in PassHub is backed up in multiple locations, which means that if one of them encountered a problem, you would still be able to get seamless access to your data from an alternate location.