Passify

Frequently Asked Questions — Sync, Sharing & Backup

If I use sync, aren't I uploading my passwords somewhere?

No. Passify does not store passwords. Only your encrypted Generators and associated rules and information are uploaded to the storage provider.

Are syncing and backups secure?

Yes.

  1. Your Password Generators and associated rules and information are encrypted on your device with a private key that you provide, before they are synchronized or backed-up. See "How is encryption handled when synchronizing or backing-up?" for more information.

  2. You choose how and where to host your encrypted sync files. You can host the files yourself or use a 3rd-party service, most of which provide free levels of service sufficient for Passify. Currently supported providers are:

    • Amazon S3 (or compatible)
    • Dropbox
    • FTPS
    • Google Drive
    • iCloud
    • MEGA
    • Microsoft OneDrive
    • SSH
What is the difference between sync & backup?

A sync changes over time, whereas a backup is a static snapshot from a particular time:

  • Sync: Passify automatically manages merging changes between two or more devices, updating each as needed.
  • Backup: On request, Passify exports a snapshot of the current data. When restored, replaces any existing data.

For compatibility, Passify uses the same encrypted file format for the Sync Provider data file (sync.pbak) and backups. Therefore these files are somewhat interchangeable. In other words, you can perform a restore from a sync.pbak file just as from any manually created backup. Or you could "seed" a Sync Provider with an existing backup file renamed to sync.pbak.

How and when is sync performed?

Sync will occur at a few different instances:

  • On app startup when a sync hasn't recently occurred
  • Periodically when the app is in the background based on when the operating system chooses
  • After you add a Generator or make an edit to an existing one
  • When you tap the sync button or pull-to-refresh the main Generator listing
When I set up sync or perform a sync with some providers, why does Passify sometimes contact Passify's server and/or Amazon Web Services?

Some file hosting providers (Dropbox, Microsoft OneDrive, Google Drive) require Passify to use special keys in order to access their service. These keys are assigned to Passify by those providers and must be kept secret.

As it is insecure to store these keys directly in Passify, we use Amazon Web Service's Secrets Manager to store them instead, and fetch them only when you connect to these specific hosting providers.

Additionally, the authentication process (known as OAUTH) when you first set up these providers requires us to use an intermediary server to handle the requests. For this, we use our own server rather than relying on a 3rd-party.

Sync providers that you host yourself or use traditional login credentials (Amazon S3, FTPS, iCloud, MEGA, SSH) connect directly to that provider and do not utilize AWS Secrets Manager or Passify's web site.

For more information, please see our Privacy Policy.

How are my credentials for Amazon S3, FTPS, SSH, and MEGA stored?

These credentials are encrypted and stored in the device's local secure storage provided be the operating system. See the Security FAQ "How is my data protected?" for more information.

What are the various files I see in the file listing for Passify on my sync provider?

These files are used to facilitate the synchronization process and are automatically managed by Passify as needed:

  • The ".psid" files are anonymous device IDs references created when you connect a device to the sync provider. They help Passify know if there are multiple devices syncing with the provider.

    The ID numbers are Universally Unique Identifiers (UUID), generated for each device connected to a sync provider, and have no other purpose than to facilitate the subscribing and unsubscribing to the sync provider.
  • The ".psem" file is a temporary "semaphore" file that indicates when a device is actively communicating with the sync provider. Passify uses this to ensure that only one device at a time is accessing the sync data file.

    Occassionally, the semaphore may be left behind, but Passify will eventually purge it to ensure syncing can continue.
  • The ".tmp" file is sync data being uploaded. This file will exist if an upload is in progress and sometimes can be left behind if an upload fails to complete. Passify will automatically remove this file if necessary.
  • The ".pbak" file is your encrypted generation rules and data.
Can I simply download/copy the "sync.pbak" file from my sync provider to backup my Passify data?

Yes. Sync data and backups use the same format and encryption scheme.

Note that with regular Passify backup files, you will need to know the encryption key from the sync provider settings in order to restore from the sync.pbak.

If you make a copy of the sync.pbak file directly on your sync provider, make sure to copy it somewhere out of the the sync folder on your provider to ensure it isn't removed accidentally.

Can I switch Sync Providers?

Yes, you can switch Sync Providers at any time. See the Knowledgebase article on Changing Sync Providers for more information.

Can I share passwords with family while still maintaining my own private ones?

Yes. Using Passify's Sync feature, you can easily share Generators between family members. Use a shared "Family Secret" for family passwords while using your own seperate Personal Secret for your private passwords.

See the Knowledgebase article "Sharing Passwords" for more information.

Can I use the same Generator for another family member's password?

Although not recommended, yes you can. However, there are some special considerations to be aware of:

  • Unless it's for the same, shared login, each of you should use different Personal Secrets to ensure that each account has its own password.
  • If one of you must change their password for whatever reason, the other passords generated by the same Generator will be affected. To work around this you will need to coordinate password changes, possibly writing down the old passwords before generating the new ones (don't write down the new ones).
  • When syncing, the most recent edit always wins so you will want to avoid editing the same Generators at the same time on different devices. See how Passify resolves Generator edit conflicts for more information.
What happens when a change is made to the same Generator on two different devices?

When syncing, the most recent edit wins.

In other words, if two different devices make a change to the same Generator within a few minutes of each other and then sync before the other device changes have been downloaded, Passify will be forced to choose the most recent edit as the official change. The older change will be disgarded.

As long as Passify has enough time to sync between multiple edits across all devices however, there should be no conflicts with Generator changes.

Unfortunately, there is no easy way around this. Passify performs the sync process in the background and does not always have the ability to prompt the user whether an incoming change should be disgarded or applied. Nor would it be able to automatically determine which changes or portion of the changes between two different edits should be applied.

Question Categories