PassHero Logo
Security Architecture

Truly zero knowledge password manager

PassHero is designed to be truly zero knowledge by protecting vault data on the client and using OPAQUE so your master password is not sent during login.

Start freeView plans
Person working privately on a laptop in low light
Mostly is not enoughOPAQUE helps PassHero avoid the common shortcut of sending the master password to the service.

Secrets are encrypted before they leave your device.

OPAQUE lets the client prove password knowledge without sending the master password.

Only authorised users can decrypt the secret values they receive.

The service coordinates vault data without needing the plain text.

The zero-knowledge promise should include login

Most modern password managers claim to be zero knowledge, and they are, mostly. They encrypt vault contents before storage, which is the right foundation. But the login flow can still become a weak edge if the master password is sent directly to the service or exposed to server-side handling.

PassHero uses OPAQUE to close that gap. Your device proves it knows the master password through a cryptographic exchange instead of posting the master password as a reusable credential.

What truly zero knowledge means in PassHero

Zero knowledge means the service can help you store, sync, and share secrets without needing to know the contents of those secrets. In PassHero, secret values are encrypted in the client before they are sent to the API, then decrypted only by a user with the right private key.

Truly zero knowledge means the master password is treated with the same care. PassHero uses it locally to unlock vault key material and uses OPAQUE for authentication, keeping account verification separate from plain-text secret access.

Designed for real collaboration

PassHero combines zero-knowledge storage with encrypted sharing and delayed access controls. That means the same security model applies when a secret is created, updated, shared, or revealed.

The goal is practical privacy: secrets remain usable by the people who need them, while plain-text exposure is kept away from casual workflows such as chat, email, and shared documents.

How this shows up in PassHero

Login and registration use OPAQUE protocol flows.

Client-side encryption is used before create and update operations.

Shared secrets are encrypted for the recipient before they are saved.

Vault views separate secret metadata from secret values.

FAQ

Can PassHero see my stored passwords?

PassHero is designed so secret values are encrypted before they reach the service and decrypted only by authorised users with the right key material.

Why does OPAQUE matter?

OPAQUE lets PassHero verify password knowledge without receiving the raw master password during login. That makes the zero-knowledge claim stronger than vault encryption alone.

Ready to put secrets somewhere safer?

Create a PassHero account and start moving passwords, notes, and shared credentials into an encrypted vault.

Get started