How UniPass protects your data
- Encrypted at rest: the local database is encrypted with SQLCipher; individual vault records use AES-256-GCM. The key is derived from your master password with Argon2id.
- Zero-knowledge sync: optional cloud sync uploads only opaque ciphertext. The server stores no keys and cannot decrypt your vault.
- Credentials stay local: the browser extension reaches your vault only through the desktop app over your OS's Native Messaging channel — never over our network.
- Anti-phishing autofill: matches the registrable domain (eTLD+1), so look-alike domains don't receive your credentials.
- Brute-force resistance: Argon2id KDF plus rate limiting (by IP and account) and progressive lockout on the sync service.
- Supply-chain integrity: macOS release builds are code-signed and Apple-notarized; the extension is distributed through the Chrome Web Store.
Threat model
Threats we defend against
- An attacker who obtains your device files (cloud backup, stolen drive) — the vault database is encrypted.
- An attacker who intercepts network traffic during sync — end-to-end encryption plus TLS.
- An attacker who controls the sync server — the server cannot decrypt any vault content (zero-knowledge).
- Other local users on the same machine — no access to the vault's encryption keys.
- Online brute-force of login — Argon2id KDF, dual-dimension rate limiting, progressive lockout.
Threats we cannot defend against
- Your master password itself being compromised (social engineering, shoulder-surfing, keyloggers).
- Malware running with administrator/root privileges on your device — no password manager can defend against this.
- Zero-day operating-system vulnerabilities — we can only minimize attack surface.
Reporting a vulnerability
Please do not report security issues through public GitLab/GitHub issues. Disclose privately:
- Email: security@unipass.loxnet.io
- Subject prefix:
[SECURITY] - Please include: affected version/platform, vulnerability type, reproduction steps (PoC welcome), potential impact, and any suggested fix.
Our commitment
- Acknowledge your report within 24 hours.
- Provide an initial assessment (reproducibility, severity) within 72 hours.
- Patch CRITICAL/HIGH issues as fast as engineering allows and ship a fix release.
- Credit you in the release notes (unless you prefer to stay anonymous).
- We will not pursue good-faith security research.
FAQ
What if I forget my master password?
It cannot be recovered. This is the core guarantee of a zero-knowledge architecture — we hold no copy of your master password or derived keys. The Secret Key generated at sign-up enables device-to-device recovery, but only together with your master password. Keep both safe.
Do you collect usage data?
No telemetry, crash reports, or usage analytics. With cloud sync enabled we store vault ciphertext and sync metadata (account email, device identifiers, version numbers); nothing else is uploaded. See our Privacy Policy.