SecurePassManager is currently in its initial release phase. We are committed to providing security updates for the following versions:
| Version | Supported |
|---|---|
| 2024.10.01.01 | ✅ |
| < 2024.10.01.00 | ❌ |
We take the security of SecurePassManager seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
-
Do not report security vulnerabilities through public GitHub issues.
-
Please send an email to @securepassmanager with the subject line "SecurePassManager Security Vulnerability".
-
Include the following details in your report:
- Type of issue (e.g., buffer overflow, encryption weakness, etc.)
- Full paths of source file(s) related to the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
-
Allow up to 48 hours for an initial response to your report.
- A response acknowledging your report within 48 hours.
- An evaluation of the reported vulnerability.
- A plan for addressing the vulnerability, if confirmed.
- A public disclosure after the vulnerability has been addressed.
We appreciate your efforts and will make every effort to acknowledge your contributions.
SecurePassManager implements the following security measures:
- AES-256 encryption in GCM mode for all stored data.
- Encryption keys are derived from the user's master password using a secure key derivation function.
- PBKDF2-HMAC-SHA256 with a minimum of 100,000 iterations.
- A unique salt is generated for each user to prevent rainbow table attacks.
- Sensitive data (e.g., master password, encryption keys) is securely wiped from memory after use.
- We use
mlock()to prevent sensitive memory pages from being swapped to disk.
- All user inputs are validated and sanitized to prevent injection attacks and buffer overflows.
- We use prepared statements for any operations involving user input.
- SecurePassManager operates entirely locally, with no network communication, eliminating risks associated with data transmission.
- We use cryptographically secure random number generators (provided by OpenSSL) for all security-critical operations.
- All releases are tagged and signed with GPG keys.
- We provide checksums for all released binaries.
To maximize security when using SecurePassManager:
- Use a strong, unique master password (we recommend at least 16 characters).
- Never share your master password or store it in plain text.
- Regularly update to the latest version of SecurePassManager.
- Use full-disk encryption on your device.
- Be cautious when exporting password data and securely delete any exported files when no longer needed.
SecurePassManager uses the following third-party libraries:
- OpenSSL 3.3.0 or later: For cryptographic operations
- liboath 2.6.7 or later: For TOTP functionality
We monitor these dependencies for security updates and incorporate them promptly.
We are open to independent security audits. If you're interested in conducting a security audit, please contact us at audit@securepassmanager.
SecurePassManager is designed to protect against:
- Unauthorized access to the password database file
- Memory dumping attacks
- Brute-force attacks on the master password
- Tampering with the application binary
It does not protect against:
- Malware on the user's system
- Physical access to the user's unlocked device
- Weakness of individual passwords stored in the database
While we strive for the highest level of security, no system is 100% secure. Users should use SecurePassManager as part of a comprehensive security strategy.
This security policy is subject to change. Please check regularly for updates.
Last updated: 2024.10.02