Security

How we protect your most personal information.

Zero-Knowledge Encryption

When you enable encryption, your data is locked before it ever leaves your device. We call this zero-knowledge encryption because we genuinely have no access to your information. Not us, not our database administrators, not anyone who might compel us legally. The keys live only with you.

Here's exactly how it works:

  1. Key generation on your device. Your browser generates a Master Encryption Key (MEK) using the Web Crypto API. This key never travels to our servers in plaintext. Ever.
  2. Password-protected key wrapping. A Key Encryption Key (KEK) is derived from your password using PBKDF2. That KEK wraps (encrypts) your MEK. Only the encrypted MEK is stored on our servers. Without your password, it's unreadable noise.
  3. Client-side field encryption. Before any sensitive data is transmitted, your browser encrypts it using your MEK and AES-256-GCM. When encryption is enabled, item names, descriptions, beneficiary details, photos, and notes are all encrypted on your device first. Our servers only ever receive ciphertext.

What this means in practice: if our database were stolen tomorrow, the attacker would have encrypted blobs they cannot read. If a government served us with a subpoena demanding your estate data, we'd hand over the same encrypted blobs. We don't have the keys.

Recovery Phrase

During encryption setup, your browser generates a 12-word recovery phrase using the BIP39 word list. This phrase is the only backup for your encryption keys if you forget your password.

Write it down and store it somewhere safe. It's shown exactly once and never stored on our servers. If you lose both your password and your recovery phrase, your encrypted data cannot be recovered by anyone, including us. That's not a legal disclaimer; it's a cryptographic fact.

Password Security

Passwords are hashed with Argon2id, the winner of the Password Hashing Competition and the current industry standard for password storage. Argon2id is memory-hard by design, which makes it expensive to attack even with specialized hardware.

We store only the hash. The hashing function is one-way, which means we have no way to retrieve or display your original password. If you forget it, you reset it. You don't recover it.

Authentication

Sessions use short-lived JWT access tokens (15-minute expiry) paired with refresh tokens (7-day expiry), both stored as HttpOnly cookies. HttpOnly means JavaScript on the page can't read them, which closes off a common class of session-hijacking attacks.

Two-factor authentication is available via:

  • TOTP authenticator apps (Google Authenticator, Authy, or any TOTP-compatible app)
  • WebAuthn passkeys (hardware security keys, Face ID, Touch ID)
  • Backup recovery codes for account access if your second factor is unavailable

Authentication endpoints are rate-limited to block brute-force attempts. Too many failed logins from a single IP will result in a temporary lockout.

Infrastructure

Pass It On runs on Google Cloud Platform in the us-central1 region, using Compute Engine, Cloud SQL (PostgreSQL), and Cloud Storage. GCP encrypts all stored data at rest by default.

All connections are encrypted in transit. We enforce HTTPS, and HTTP requests are redirected automatically. Our web server (Caddy) supports HTTP/2 and HTTP/3 (QUIC). Security headers are enforced on every response, including HSTS, X-Frame-Options, and X-Content-Type-Options.

Our CI/CD pipeline uses Workload Identity Federation for authentication. That means there are no service account key files anywhere in our infrastructure. A stolen credential file can't be used to access your data because no such file exists.

Bot Protection

Login, registration, and password reset are protected by hCaptcha in invisible mode. This blocks automated credential-stuffing and account creation attacks without asking you to identify traffic lights.

Responsible Disclosure

If you discover a security vulnerability in Pass It On, please report it to support@passiton.now. We take security reports seriously and will respond promptly. We ask that you give us reasonable time to address the issue before publishing details publicly.

What We Can't Do

With encryption enabled, there are things that are technically impossible for us, not just things we've chosen not to do:

  • We cannot read your encrypted items, descriptions, or beneficiary information.
  • We cannot reset your encryption or restore access to your data without your password or recovery phrase.
  • We cannot comply with legal requests for the plaintext contents of your encrypted data. We don't have it. We can only provide the encrypted ciphertext, which is useless without your keys.

This is the fundamental guarantee of zero-knowledge encryption. Your data is yours.