Stay secure online with Passbolt password manager’s ‘secret key’


Passbolt uses a
Passbolt uses a "secret key" for all authentication and encryption, keeping you secure in your online travels.
Photo: Passbolt

If you know anything about the dangers of hacking and identity theft lurking online, you may already know an app to manage all of your passwords can be a lifesaver. Passbolt is a good one. It uses a “secret key” for all of its authentication and encryption operations, keeping your information safe.

This post is brought to you by Passbolt.
Right now, Cult of Mac readers can get 20% off the regular prices of Passbolt Pro and Cloud versions with the special promo code below.

Passbolt password manager’s secret key keeps you secure online

Passbolt comes in three versions: free, Pro and Cloud. Pro and Cloud are the most robust. We’ll focus on Cloud because it’s super-secure, offering all the benefits of the Pro version, and it’s easy to set up. You can use it on iOS or Android. (Safari-extension support for macOS is coming later this year.)

Passbolt sets itself apart from other password managers by offering a unique architecture tailored for secure collaboration, with granular choices for who gets access to what. It’s built on top of open standards.

The company said Passbolt analyzes and addresses risk in different ways from other password managers.

Your key to online security is secret

Unlike some password managers, Passbolt randomly generates a “secret key,” which is a private key issued to the user (or they can create their own). The key is independent of the end-user password, not derived from it.

And the private key is just one part of Passbolt’s highly secure asymmetric encryption. The private key decrypts and signs. The other part is a public key that establishes the encryption in the first place.

Stolen credentials won’t work

Passbolt protects your account from “credential stuffing,” which occurs when an attacker tries to use stolen credentials like a user name or email address to gain access.

By design, Passbolt makes it impossible for attackers to use popular pass-phrases from previous breaches to gain access, even if multifactor authentication (MFA) is not enabled.

So, even if an attacker manages to get your account password, they won’t have the required secret key to make it work.

Secret keys stay safe

Your private keys stay private because they’re never distributed by the Passbolt server. They stay in your device’s local storage.

In addition, when you must transfer private keys between devices, Passbolt skips the server and generates QR codes in a secure browser extension sandbox.

Passbolt also disables private-key escrow by default. While you have the option to send your encrypted private key to the server so an administrator can help you regain access, it’s turned off until you turn it on.

A self-hosted password manager that works offline

With the ability to self-host — even in air-gapped environments — Passbolt achieves maximum privacy. It works disconnected from the internet, even in the most-remote situations.

Plus, there’s no need to register an account or have an internet connection to get started. And you won’t need to learn how to opt out of a telemetry program. In these ways, Passbolt balances a user-friendly experience with privacy.

Other benefits baked into Passbolt

Passbolt includes an array of other security features to give the most control over your privacy (and peace of mind):

  • An anti-phishing token prevents hackers from stealing private keys through fake versions of Passbolt.
  • Mandatory browser extensions mean the server never sends code used for encryption or decryption.
  • Passbolt discloses all security-audit results and lets customers see SOC2 Type II audited reports.
  • You get granular control over password permissions for different users and folders rather than simple shared vaults.
  • Each password is encrypted once for each user it’s shared with; no encrypted copy is kept for users without permission.
  • When a user’s access is revoked, their encrypted password is immediately deleted. (Surprisingly, not all password managers do this.)
  • You can export your passwords and use open-source KeePass Password Safe.

‘Privacy is in our DNA’

“Privacy is in our DNA,” Passbolt noted, and you can see it. The company relies on open-source code, so you never have to simply take its word about its security. The code is 100% open source, fully licensed under AGPL, and hosted on GitHub.

Passbolt is headquartered in Luxembourg. As such, it’s fully compliant with the European Union’s General Data Protection Regulation (aka GDPR). Plus, the company’s cloud servers are hosted where privacy is protected by laws barring all trackers.

2 weeks free, then Cult of Mac readers get 20% off

You can try Passbolt’s Cloud version for free for 14 days before committing to purchase.

And Cult of Mac readers can get 20% off the regular price of Passbolt’s Cloud and Pro versions by using the promo code CULT-OF-MAC.

Where to download: Passbolt


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.