About Xecrets Security
It is secure to store your secrets here. We're only using current and established standards for encryption and storage. The technology is open for inspection by anyone, we even publish full reference source code.
It's also safe and reliable. We have several layers of redundancy to ensure that you can always access your data.
Your secrets are stored as encrypted XML, using 256-bit AES encryption. AES is the current US National Institute of Standards and Technology recommended encryption algorithm, where the full PDF specification is found, a less formal description is available on Wikipedia.
Although the use of standardized XML encryption technology minimizes the risk of design and implementation errors, in the end your password or passphrase will determine the resulting actual security, which is why we require at least 10 characters in your password. We also use a standardized key-wrap algorithm, as well as an iterated key-derivation algorithm ensuring that whatever password you use - we'll make it at least a 1000 times stronger. The actual value is determined by the speed of our server, thus automatically upgrading security when faster computer hardware is available.
Your password is not used to encrypt your secrets, it's only used to derive a key which in turn is used to encrypt (wrap) the real key. The real key used for the actual encryption is a full 256-bit key generated by our servers to be as random and strong as possible.
If you lose or forget your password, we cannot send it to you. We do not know it. However, you can request a password reset which will cause a new password to be set. Your old secrets will be maintained in their encrypted form, and if you in the future do recall your old password, the old secrets will be automatically decrypted and merged with any new secrets.
You can also request a password change, which does require you to know the current password. In this case your secrets will be automatically re-encrypted with the new password.
Download your raw encrypted secrets file
When you are logged on, you can download your secrets as an encrypted XML file. What you download is exactly identical to what we store on the server.
The encrypted XML file is using only W3C standardized technology, and is therefore interoperable with any software capable of decrypting W3C encrypted XML. There is also an offline Windows application, Xecrets2Go, available to decrypt the file from your desktop or directly from a USB drive.
Since we only ever store your data in encrypted form on our server, an attacker can at best get hold of the encrypted XML. Provided you have not choosen a very weak password, this encryption is not feasible to force by any attacker, and your secrets will be safe even in this event.
The most common attack vector for hackers is via database SQL injection, where faulty validation of user input leads to attackers getting access to the database. This is impossible on the Xecrets server, since we do not use any SQL database at all, we only use files in the file system.
When you are logged on, we are by necessity keeping your password in memory as well as the decrypted secrets when we send them to your browser, but is never saved to disk. The production server is located in a secure hosting facility.
All communication with our server is encrypted with strong SSL encryption, and we do not allow any client that does not accept this to log on.