The following security features have been built into the passvault:
- All sensible data is transferred using SSL.
- User Passwords are not stored in plain text but as salted BCRYPT hashes using 12 rounds. Each password uses it's own randomly generated hash seed (the salt). As a result a brute force or rainbow table attack against the hash values will take some time.
- Sensible data stored in the passvault is encrypted using the 256 bit Rijndael algorithm in chained blocks as supported by PHP5.
- The user login password is also used to encrypt the data in the passvault. In order to avoid storing the password within the user session it is split into two fragments. One is stored in the server stored session, the other part is embedded into the page and is resubmitted with every new page being requested. As a result, neither the transferred html file nor the session database can be used to replicate the password.