On your device. Encrypted. No network connectivity required.
If you use the sync functionality, an encrypted copy is stored on your sync provider, but under your control.
All of your data is encrypted on the device. Encryption keys are device-specific, random and not transmitted. If you move your data off device (for sync or backup), you provide your own encryption key.
See the "Encryption Specification" knowledgebase article for more details on the encryption used by Passify.
Your Personal Secret is not permanently stored and only briefly remains in memory in order to generate passwords.
See the "Personal Secret Handling" knowledgebase article for more details on how Passify handles your Personal Secret.
Enable your device's built-in locking functionality so that a pin, password or biometric data is required to unlock and access your device. As a security best-practice, it is highly recommended that you lock your device even if you're not using Passify.
You provide your own encryption key for sync and backup. Data is never un-encrypted and re-encryption with your key is performed on the device before data is sent to your sync provider or backed-up.
See the "Encryption Specification" knowledgebase article for more details how encryption is applied for sync and backup data.
No. Passify's generated passwords are "one-way" and cannot be reversed, decoded or decrypted back into the original input values.
With Passify, there is no way for someone to AutoFill a password without entering the Personal Secret. Passify doesn't store passwords, it algorithmically re-generates them each time, and the Personal Secret is requried as part of the algorithm.
On the other hand, if a different password manager stores passwords and AutoFill is enabled and authorized, anyone can log into your accounts if they have access to your unlocked device and password store.
Yes. To ensure that you don't type your Personal Secret into another application pretending to be Passify, a theming system is available that allows you to select a theme color and theme art.
Select a preferred color and/or art in Passify's Settings. Passify will then use these settings to customize the application, including the Personal Secret prompt page.
If you are ever prompted for your Personal Secret and the theme color or art does not match your selections, you will know that an app may be impersonating Passify and you should not enter your Personal Secret.
The algorithm depends on specific input unique to you — the rules defined by each of your Generators, and your Personal Secret. Unless the attacker has both your Passify data and your Personal Secret, no. The algorithm alone cannot be used to generate your passwords.
Assuming that the Character Sets assigned to the Generator provide enough entropy (possible random values) and the password length is significant, the passwords generated by Passify are extremely hard — if not impossible — to guess or brute force.
No. Generators are unique to each person. Even if two people simultaneously create the same Generator with matching basic rules and use the same Personal Secret, Passify will still generate different passwords.
Passify's algorithm guarantees that passwords are unique by including data specific to each individual as part of the password generation process. For example: creation dates, unique IDs, and other random values. Those input values will never match between people regardless of Generator rules and all have an impact on the final generated password.
The ONLY way to generate the same password for two different people/devices would be for them share the exact same Passify Generator data on both of their devices using Passify's synchronization feature.
With Passify, your passwords are not stored along with your 2FA keys because Passify does not store passwords.
Unless someone knows your Personal Secret, they cannot generate your passwords even if they access your device or your Passify data.
Yes. Passify generates your device encryption key when the app is first run or reset. You can easily force generation of a new encryption key by backing up your data, resetting Passify and then restoring your data.
See the "Rotating Device Encryption Key" knowledgebase article for information on how to rotate the key.
Personal secrets are not permanently stored and are only remembered for short periods while the application is running. Additionally, different applications cannot access the same memory. The Passify AutoFill extension is actually a separate application from the main Passify application and only runs while you are actively using it. Because it is a separate application and exits immediately once cancelled or a password is chosen, it has no way to remember your Personal Secret.
This is by design, and prevents a malicious person from using AutoFill to log into your accounts should they get ahold of your unlocked device.
Unfortuantely, no. Passify doesn't facilitate the use of biometric data for Personal Secrets:
Not yet, but we plan to hire an independent 3rd-party to perform a thorough security audit of Passify as soon as possible.