The master password stays out of the request body
Your master password is the key to the entire vault experience, so PassHero avoids the risky pattern of sending it directly to the server. The client uses OPAQUE to authenticate through a protocol exchange instead.
This reduces exposure from request logs, server bugs, and database access. The service can verify login without becoming a place where master passwords are collected.
Unlocking vault key material
After authentication succeeds, the client derives the material needed to decrypt the encrypted private key associated with the account. That private key is used locally to decrypt secrets the user can access.
This keeps the master password tied to unlocking the vault, not to handing a reusable secret to the server.
Extra checks for sensitive secrets
PassHero also supports high-security secrets. These can require a fresh master password confirmation before sensitive actions such as sharing, adding another checkpoint for secrets that deserve extra care.
The result is a master password model with two layers: a safer sign-in exchange and optional re-confirmation for high-risk actions.
How this shows up in PassHero
Login and registration use OPAQUE client flows.
Private key decryption happens in the client after login.
High-security actions can request a password confirmation token.
Password reset and hint flows are kept separate from vault secret values.
FAQ
Does PassHero know my master password?
PassHero is designed so the master password is not sent to the server during login. The client proves password knowledge through OPAQUE.
What happens if I forget my master password?
A zero-knowledge model means the service should not be able to reveal your vault by knowing or recovering your master password. Use a strong password and keep recovery expectations realistic.