Technical security analysis of PassAgent’s zero-trust architecture, real-world threat scenarios, and competitive positioning against major password managers.
PassAgent is a zero-trust password manager where the server never touches plaintext credentials. Every vault operation — encryption, decryption, key derivation — happens exclusively on the client using AES-256-GCM with keys derived from the user’s master password through Argon2id (64 MiB memory-hard KDF). The server stores only ciphertext and cryptographic salts. A full server compromise yields zero usable credential data.What sets PassAgent apart is not just strong encryption — most modern password managers offer that. PassAgent solves the problems that other password managers ignore:
You’re crossing an international border and a customs officer demands you unlock your phone. Travel Fortress cryptographically hides sensitive credentials using split-knowledge key separation with time-locks. You physically cannot reveal them, even under duress.
You want to share Netflix with your roommate for a week without giving them the password. Session sharing creates a live, timed browser session where they can watch without ever seeing your credentials.
You need to reset your Instagram password but dread the multi-step process. Type “reset my Instagram password” in the chat, and the AI reset engine handles navigation, email verification, CAPTCHA solving, and password generation automatically.
You’re worried about what happens to your accounts if something happens to you. Dead Man’s Switch monitors your activity and automatically transfers designated credentials to trusted contacts after a configurable inactivity period.
These are not theoretical features. They are production systems backed by real cryptographic protocols, described in full technical detail in this document.
The problem. You’re a journalist traveling to a country with mandatory device inspection at customs. You carry credentials for sources, encrypted communication platforms, and banking apps. A border agent asks you to unlock your vault.How PassAgent handles it.Before your trip, you enable Travel Fortress. You mark sensitive items (source credentials, Signal, banking) as “travel-hidden” and set a 72-hour time-lock.When you enable travel mode, each hidden item’s per-item encryption key is unwrapped from your vault key and re-wrapped under a separate travel key derived from a PIN and a server-held salt. The vault-key-wrapped version is deleted. The server will not release the salt until the time-lock expires — not to you, not to anyone.At the border, your vault opens normally. The agent sees your everyday passwords — Netflix, Gmail, Amazon. The hidden items are cryptographically absent. You cannot reveal them even if compelled, because the server refuses to release the salt for 72 hours.If the agent forces you to enter a PIN, you enter the duress PIN instead. This returns a different salt that derives a different key, which decrypts a convincing fake vault — 15 realistic-looking entries (Gmail, Netflix, LinkedIn, Bank of America) with deterministically generated passwords. Your trusted contacts are silently notified. A duress event is written to the audit log.Key properties:
Split-knowledge guarantee: Neither the PIN alone (user) nor the salt alone (server) can derive the travel key
Time-lock enforcement: The server physically cannot release the salt early — no override, no emergency bypass, no admin backdoor
Duress resistance: Fake vault generator produces consistent, seed-deterministic entries that look identical to a real vault
Cooldown period: After disabling travel mode, items reappear gradually over a configurable period (0–72 hours)
Trusted contact approval: Optionally require a trusted contact to approve travel mode deactivation
Scenario 2: Sharing Netflix without sharing the password
The problem. Your roommate wants to use your Netflix account for a week while you’re traveling. You don’t want to give them your password — they might change settings, share it further, or forget to log out.How PassAgent handles it.You open the PassAgent chat and type: “Share my Netflix with alex@email.com for 7 days.”PassAgent offers two sharing modes:Password sharing creates an encrypted share. Your Netflix password’s per-item key is re-wrapped with Alex’s RSA-OAEP public key and stored as a share entry with a 7-day expiration. Alex can see and use the password, but the share auto-expires and the re-wrapped key is deleted.Session sharing (the zero-knowledge option) never reveals the password at all. PassAgent:
Spins up a cloud browser session via Hyperbrowser with recording disabled
An AI login agent navigates to Netflix, enters your credentials, handles any 2FA prompts
Locks the browser to a single tab (Netflix only — no address bar access, no new tabs)
Optionally enables view-only mode (recipient can watch but not click) and watermarking
Generates a secure live preview URL and sends it to Alex
After 7 days, the session terminates and the browser is destroyed
Alex watches Netflix in a sandboxed browser iframe. They never see your password. They cannot navigate to other sites. They cannot screenshot without a watermark. When the session expires, the entire browser environment is deleted — including cookies, cache, and session tokens.Session sharing controls:
Pause, resume, revoke, or extend active sessions
View-only mode for watch-only access
Watermarking with session identifiers
Scheduled sessions (share access every Friday 8–11 PM)
The problem. You have 200+ accounts. Rotating passwords manually means navigating each site’s settings, finding the change-password form, generating a new password, and saving it. Most people never do this.How PassAgent handles it.You type: “Reset my Instagram password.”The AI reset engine uses a three-phase fallback architecture:
Copy
Ask AI
Phase 1: BQL saved scripts (fastest, most reliable) → Pre-built Browserless Query Language scripts for 50+ popular services → Executes in < 10 seconds per servicePhase 2: Universal browser agent (any site) → Claude Vision AI analyzes page screenshots → Navigates arbitrary reset flows using CSS selectors and visual reasoning → Handles email/SMS verification, security questions, CAPTCHAPhase 3: Local Playwright (fallback) → Full browser automation with vision AI → CAPTCHA escalation: headless → headed → live session handoff
The orchestrator streams progress to the chat UI in real-time:
Navigates to Instagram’s password change page
Generates a new password (configurable complexity, 12–128 characters)
Fills the old password, new password, and confirmation fields
Polls your Gmail for verification emails and extracts codes automatically
Saves the new password to your vault with the updated timestamp
If the AI encounters a CAPTCHA it cannot solve, it escalates: first to a headed browser, then to a live Browserless session where you can solve it manually. The moment you complete the CAPTCHA, the AI resumes the flow.
The problem. If something happens to you — prolonged illness, incapacitation, or death — your family has no way to access critical accounts (banking, insurance, utilities).How PassAgent handles it.You configure a Dead Man’s Switch with a 90-day inactivity period and designate your spouse as a recipient. Every time you log into PassAgent, the timer resets automatically (auto check-in).If you don’t log in for 83 days, warning notifications start:
Day 83 (7 days remaining): “Your Dead Man’s Switch will trigger in 7 days”
Day 87 (3 days remaining): Second warning
Day 89 (1 day remaining): Final warning
If you still don’t respond after 90 days, the switch triggers. Each designated password is shared with your spouse via the encrypted sharing system — the same RSA-OAEP key re-wrapping used for regular sharing. Your spouse receives an in-app notification with the personal message you configured.Warning intervals are configurable (default: 7, 3, and 1 day before trigger). The inactivity period ranges from 7 to 365 days. You can test the notification chain before relying on it.
PassAgent derives the vault key from the user’s master password using Argon2id, the memory-hard KDF that won the Password Hashing Competition and is recommended by OWASP.PassAgent’s V3 encryption uses HKDF-SHA256 to derive four independent sub-keys from the Argon2id output. Each sub-key serves a distinct purpose — encryption, domain indexing, search indexing, and key export — ensuring that compromising one function does not affect the others. The HKDF info strings are: passagent-enc-v3, passagent-mac-v3, passagent-search-v3, and passagent-wrap-v3.
Fallback KDF parameters
On memory-constrained devices (low-end phones, tablets, some WebAssembly environments), the 64 MiB allocation may cause an out-of-memory error. PassAgent automatically falls back to reduced parameters:
Parameter
Primary
Fallback
Memory
64 MiB (65,536 KiB)
32 MiB (32,768 KiB)
Iterations
3
4
Parallelism
4
4
Output
256-bit
256-bit
The extra iteration in fallback mode partially compensates for the halved memory cost. 32 MiB still exceeds the OWASP minimum recommendation of 19 MiB.
Each vault item has its own randomly generated 256-bit AES key. The vault key wraps these per-item keys using AES-KW. This two-tier hierarchy enables secure operations without exposing the vault key:Why envelope encryption matters:
Sharing an item re-wraps its per-item key with the recipient’s RSA-OAEP public key — your vault key is never involved
Revoking access deletes the re-wrapped key — the recipient loses access immediately
Rotating your master password re-wraps all per-item keys under the new vault key without re-encrypting every credential
Searching encrypted data without decrypting it is a hard problem. PassAgent uses HMAC-based blind indexes: deterministic, one-way hashes computed client-side from plaintext values and a key derived from the vault key.Each credential produces four blind indexes:
name_hash — HMAC-SHA-256 of the service name
domain_hash — HMAC-SHA-256 of the normalized domain
username_hash — HMAC-SHA-256 of the username
search_tokens — Array of HMAC-SHA-256 hashes of individual search terms
The server can match queries against these hashes without ever seeing the plaintext. The blind index key is derived from the vault key, so it is inaccessible to the server.
PassAgent supports honeypot credentials — fake entries inserted into the vault that, if used, indicate a breach. Each canary is generated from templates (banking, corporate VPN, AWS, crypto exchange) with a unique honeypot ID embedded in the password field as a tracking URL. When a compromised canary credential is used, the tracking URL is accessed, triggering an alert chain: in-app notification, email alert, and optional webhook.
2SKD adds a second factor to key derivation: a 128-bit device secret stored locally on the device. The master password and device secret are concatenated (with a null-byte separator) before being fed to Argon2id.The device secret is stored in sessionStorage (cleared on tab close) with a localStorage fallback. This means an attacker who obtains the master password still cannot derive the vault key without physical access to the device. The secret is displayed to the user in grouped hex format (e.g., A1B2-C3D4-E5F6-...) for manual backup.
OPRF adds server-side key augmentation to the derivation pipeline. The client sends a blinded request (HMAC of the vault key material), the server evaluates it against a per-user secret key, and the response is mixed back into the key derivation chain via HKDF.The server never learns the vault key — it only sees an HMAC of it. Rate limiting (5 attempts per hour with 1-hour lockout) prevents brute-force. Even with a full database dump and the user’s master password, an attacker cannot derive the vault key without the server’s OPRF secret.
Your recovery key is split into N shares using a random polynomial of degree K-1 evaluated over GF(256). Any K shares can reconstruct the key via Lagrange interpolation. Fewer than K shares reveal zero information — this is an information-theoretic guarantee, not a computational assumption.
Any K shares (shown as solid arrows above) are sufficient to reconstruct the key. The remaining shares (Share N, grayed out) are not needed. Fewer than K shares reveal zero information.
{ x: number // Share index (1-255, never 0) data: string // Base64url-encoded share data threshold: number // K — minimum shares needed total: number // N — total shares issued}
All operations use the AES irreducible polynomial (0x11B). Multiplication uses Russian peasant multiplication with XOR-based reduction. Division uses the extended Euclidean algorithm for multiplicative inverses. There are no floating-point operations — everything is exact byte arithmetic.
Fewer than K shares provide zero information about the recovery key. This is a mathematical guarantee. However, if K or more shares are compromised, the recovery key is fully reconstructable.
The family vault extends Shamir sharing with a guardian system. The Family Recovery Secret is split into shares distributed to family members (guardians). Each guardian’s share is encrypted with their vault key before storage. Recovery requires K guardians to contribute their decrypted shares.The threshold engine computes optimal K-of-N configurations based on the number of guardians and the desired security/availability tradeoff:
The duress PIN is stored server-side as an Argon2id hash (16 MiB, 3 iterations) in the standard $argon2id$... encoded format. When entered:
The server detects it is the duress PIN (timing-safe comparison against the duress hash)
Returns a fake salt instead of the real travel key salt
The client derives a fake travel key from the fake salt
The fake key decrypts a deterministic fake vault (15 passwords, 3 notes)
Trusted contacts receive a silent duress alert
A duress event is logged with full request metadata
The fake vault is generated using a seeded PRNG derived from the user ID, so the same fake data appears on every duress unlock — preventing coercers from detecting inconsistencies across multiple forced unlocks.
PassAgent generates full synthetic identities for privacy-first signups:
Fake name (first + last, from a pool of 40+ male and 40+ female names and 50+ surnames)
Username derived from the generated name
Email alias via integrated providers (SimpleLogin, Addy.io, or Fastmail)
Fake date of birth, address, and phone number
The full identity lifecycle is managed: create a disposable identity, use it to sign up for a service, and “nuke” it when done — deleting the email alias and removing all associated data.
Each provider supports: create alias, list aliases, delete alias, toggle alias (enable/disable). Aliases are stored in the vault alongside the identity metadata.
Session sharing is PassAgent’s zero-knowledge alternative to password sharing. Instead of sending credentials, you give someone a live browser session that is already logged in.
Session sharing requires a cloud browser provider that supports live preview URLs without authentication. PassAgent supports multiple providers with automatic fallback:
Provider
Live preview
Recording control
Session sharing support
Hyperbrowser
Token-based public URL
Can disable
Primary provider
Browserbase
Debug fullscreen URL
Always records
Fallback (records sessions)
Steel
Dashboard URL
N/A
Not usable (requires login)
The provider manager abstracts browser creation, session lifecycle, and cleanup. Failed sessions trigger automatic provider session termination to prevent billing charges.
PassAgent can scan your Gmail inbox to discover accounts you’ve signed up for. It searches for signup confirmation emails, password reset emails, and account verification messages, then extracts service names and domains. This gives you a complete picture of your online presence — including accounts you may have forgotten.
PassAgent builds a behavioral profile for each user: typical login times, devices, locations, and access patterns. Deviations from established patterns trigger step-up authentication or security alerts.
PassAgent extends its zero-trust encryption to secure notes — free-form text entries encrypted with the same V3 envelope encryption as passwords.Each note supports:
Rich text editing via TipTap (headings, lists, code blocks, links)
Categories and tags for organization
Sensitivity levels (low, medium, high, critical)
Pin, lock, and favorite status
Color coding for visual organization
Expiration dates for auto-deletion
Attachments with per-file encryption
Sharing with specific users via RSA-OAEP key re-wrapping
Travel mode filtering — notes can be marked travel-safe or hidden
Notes use the same encryption pipeline as passwords: each note has its own random 256-bit AES key, wrapped with the vault’s encKey. The note content (including rich text formatting) is encrypted client-side before transmission. The server stores only encrypted_data and wrapped_item_key.
This section provides a rigorous, category-by-category security and feature comparison of PassAgent against the nine most widely deployed password managers and built-in browser/OS credential stores: 1Password, Bitwarden, LastPass, Dashlane, NordPass, Keeper, Proton Pass, Google Passwords, and Apple Passwords (iCloud Keychain). Each category is scored 1—10 based on implementation depth, cryptographic rigor, and real-world threat coverage. Justifications reference specific technical implementations, not marketing claims.
Why Google Passwords and Apple Passwords are included
Most users never install a dedicated password manager. They use whatever their browser or phone provides by default — Google Password Manager (Chrome, Android) or Apple Passwords (iCloud Keychain, Safari, iOS). These built-in credential stores reach billions of users, making them the most important competitors to compare against.Google Password Manager is NOT zero-trust by default. In its default “standard encryption” mode, passwords are encrypted at rest with AES-256 on Google’s servers, but Google holds the encryption keys. Google has the technical capability to decrypt and produce your saved passwords — and will do so under valid law enforcement requests. An opt-in “on-device encryption” mode exists that stores the key locally, but this is not enabled by default for the majority of Chrome’s billions of users. The code is closed-source with no public security audit of the password manager specifically.Apple Passwords (iCloud Keychain) is stronger but not strictly zero-knowledge. Apple does use end-to-end encryption for passwords by default — device-bound P-384 elliptic curve keys encrypt items so only devices in the user’s “circle of trust” can decrypt them. Apple states it cannot read keychain contents. However, the encryption keys are tied to the Apple ID infrastructure that Apple controls, and the HSM-backed escrow recovery mechanism (while secured with a 10-attempt limit and physically destroyed admin access cards) introduces a recovery path that a strict zero-knowledge system would not have. The code is closed-source, though Apple publishes detailed Platform Security Guides.PassAgent is true zero-knowledge by design. The server stores only encrypted blobs and salts. All key derivation and encryption happens exclusively in the browser via Web Crypto API. Two-Secret Key Derivation adds a device-bound secret, and OPRF adds server-augmented stretching — but the server never learns the vault key. There is no recovery backdoor. If you lose your master password without configuring Shamir recovery, your data is permanently inaccessible.The cross-platform problem. Google Passwords works well within Chrome and Android but offers a degraded experience on iOS (no autofill outside Chrome) and no desktop app. If you switch to Firefox or Safari, your passwords don’t follow you. Apple Passwords is even more locked-in: full functionality requires an Apple device. The Windows iCloud Passwords app exists but lags behind in features, and there is no Linux or Android support. Both lock you into their ecosystem. PassAgent runs as a web app with browser extensions for Chrome, Firefox, and Safari, plus a native iOS app — your vault is accessible on any platform with any browser, with no ecosystem lock-in.
The foundation of any password manager: the server must never have access to plaintext credentials, vault keys, or master passwords.
Vendor
Score
Justification
PassAgent
10
Full zero-trust. All encryption/decryption in Web Crypto API. Server stores only ciphertext, wrapped keys, and salts. Blind indexes for search prevent even partial plaintext exposure. OPRF layer ensures the server contributes to key derivation without learning the vault key.
1Password
10
SRP authentication means the server never sees the master password. Dual-key derivation (master password + Secret Key) ensures server-side data alone is insufficient. Well-documented architecture.
Bitwarden
10
Client-side encryption with AES-256-CBC + HMAC-SHA256. Open-source clients allow full verification. Server receives only ciphertext.
LastPass
7
Claims zero-knowledge, but the 2022 breach revealed plaintext URL storage and unencrypted vault metadata. Vault structure was partially exposed, enabling targeted phishing attacks against high-value targets.
Dashlane
9
Client-side AES-256-GCM encryption. Architecture is sound but documentation of cryptographic internals is less detailed than 1Password or Bitwarden.
NordPass
9
XChaCha20-Poly1305 encryption with zero-knowledge claims. Architecture appears solid but independent verification is limited due to closed source.
Keeper
9
AES-256-GCM client-side encryption. SOC 2 and ISO 27001 certified. Some metadata handling practices are less transparent.
Proton Pass
10
Built on Proton’s zero-access encryption infrastructure. Open-source clients. End-to-end encrypted with no server-side decryption capability. Benefits from Proton’s established privacy track record.
Google Passwords
3
Not zero-knowledge by default. Standard encryption mode uses server-side AES-256 where Google holds the keys. Google can technically access and produce your saved passwords under law enforcement requests. An opt-in “on-device encryption” mode exists but is not the default for Chrome’s billions of users. Closed-source with no public security audit of the password manager specifically.
Apple Passwords
7
End-to-end encryption for passwords by default using device-bound P-384 keys. Apple states it cannot read keychain contents. However, keys are derived from Apple ID infrastructure that Apple controls. HSM-backed escrow recovery mechanism (with 10-attempt limit and destroyed admin cards) introduces a recovery path absent from strict zero-knowledge designs. Not strictly zero-knowledge by academic definition, but practically strong. Closed-source with detailed Platform Security Guides.
Evaluates the full key derivation pipeline: base KDF algorithm, memory hardness, server-augmented stretching, and multi-factor key inputs.
Vendor
Score
Justification
PassAgent
10
Triple-layer derivation: Argon2id (64 MiB, 3 iter, 4 threads) plus Two-Secret Key Derivation (128-bit device secret concatenated before KDF) plus OPRF server-augmented stretching. HKDF-SHA256 derives four independent sub-keys (enc, mac, search, wrap). Even with the master password and a full database dump, the vault key cannot be derived without the OPRF server secret and device secret.
1Password
8
Argon2id with SRP. Secret Key (128-bit) adds a second factor. Strong, but no server-augmented OPRF and parameters are not as aggressive as PassAgent’s 64 MiB default.
Bitwarden
8
Migrated from PBKDF2 to Argon2id. Configurable parameters with reasonable defaults. PBKDF2 is still used for some older accounts. No OPRF or device-secret layer.
LastPass
4
PBKDF2-SHA256 with 600,000 iterations. No memory hardness whatsoever. Vulnerable to GPU/ASIC parallel attacks. The 2022 breach made this weakness critical as attackers could apply massive parallel compute to stolen vaults.
Dashlane
7
Uses Argon2d (not Argon2id). Argon2d is optimized for resistance against GPU attacks but is less resistant to side-channel attacks than Argon2id. No OPRF or device-secret augmentation.
NordPass
8
XChaCha20-Poly1305 for encryption with Argon2id for key derivation. Solid choice, but exact KDF parameters and any additional key stretching layers are not publicly documented.
Keeper
4
PBKDF2-SHA256 with variable iteration counts. Same fundamental weakness as LastPass: no memory hardness means GPU/ASIC attacks are efficient.
Proton Pass
6
bcrypt for key derivation combined with SRP for authentication. bcrypt provides some memory hardness but is significantly weaker than Argon2id. SRP adds authentication security but does not strengthen key derivation.
Google Passwords
2
Key derivation details are not publicly documented. In standard mode, encryption keys are managed server-side by Google’s infrastructure, tied to your Google account. No user-configurable KDF parameters. No memory-hard function exposed. No OPRF or device-secret layer.
Apple Passwords
5
Uses device passcode as part of key derivation combined with P-384 elliptic curves and SRP for escrow verification. The KDF specifics are not fully detailed. No Argon2id, no OPRF, no 2SKD. Strong device-binding through Secure Enclave but not a memory-hard KDF pipeline.
3. Per-item encryption (V3 envelope vs shared vault key)
Measures whether each credential has its own encryption key (envelope encryption) versus a single vault-wide key, and the sophistication of the key wrapping scheme.
Vendor
Score
Justification
PassAgent
10
V3 envelope encryption: every vault item gets a unique random 256-bit AES key, wrapped with the vault encKey via AES-KW. Sharing re-wraps the per-item key with the recipient’s RSA-OAEP public key. Master password rotation re-wraps per-item keys without re-encrypting every credential. Four independent sub-keys (enc, mac, search, wrap) ensure function separation.
1Password
8
Per-item keys within vaults. Items encrypted individually. Sharing operates at the vault level (shared vaults), not per-item. Password rotation requires re-encrypting shared vault keys.
Bitwarden
7
Each cipher (item) is encrypted individually, but all use the same derived symmetric key. No per-item key wrapping. Sharing uses organization keys. Less granular than true envelope encryption.
LastPass
6
Items encrypted with the vault key. Sharing uses RSA-encrypted sharing keys. No per-item key hierarchy. All items decrypted with the same key, meaning compromise of the vault key exposes everything simultaneously.
Dashlane
7
Per-item encryption keys derived from the master key. Sharing uses asymmetric key exchange. Implementation is sound but less documented than PassAgent’s V3 scheme.
NordPass
7
XChaCha20-Poly1305 per-item encryption. Each item encrypted independently. Sharing mechanism details are not fully public.
Keeper
7
Per-record AES-256-GCM encryption keys. Record keys wrapped with a data key, which is wrapped with the user’s private key. Multi-tier hierarchy similar to envelope encryption.
Proton Pass
8
Per-item encryption with distinct keys. Leverages Proton’s established key management infrastructure. Open-source clients allow verification. Sharing uses OpenPGP-based key exchange.
Google Passwords
3
No documented per-item encryption. In standard mode, all passwords share the same server-managed encryption context. Even with on-device encryption enabled, the granularity of key management is not documented.
Apple Passwords
7
Each keychain item is encrypted to the user’s circle of trust using per-item metadata. Items are individually encrypted for sync. Strong per-item isolation in practice, though the key wrapping hierarchy is less granular than PassAgent’s V3 scheme.
Evaluates cryptographic protections against compelled device inspection at borders, including key separation, time-locks, and duress resistance.
Vendor
Score
Justification
PassAgent
10
Cryptographic key re-wrapping: hidden items’ per-item keys are unwrapped from the vault key and re-wrapped under a travel key derived from a PIN and a server-held, time-locked salt. The vault-key-wrapped version is deleted. Split-knowledge guarantee (PIN + salt). Duress PIN returns a fake salt that decrypts a deterministic fake vault (15 entries). Trusted contact silent alerts. Configurable time-lock (0—720 hours) and cooldown period (0—72 hours).
1Password
4
Travel Mode removes selected vaults from the device. Effective as a visibility toggle, but not cryptographic separation. A forensic examiner with access to device storage or iCloud backup could potentially recover vault data. No duress resistance. No time-lock.
Bitwarden
1
No travel mode or border crossing features.
LastPass
1
No travel mode or border crossing features.
Dashlane
1
No travel mode or border crossing features.
NordPass
1
No travel mode or border crossing features.
Keeper
2
Self-destruct feature wipes the vault after N failed PIN attempts. This is destructive rather than deceptive, alerts coercers that sensitive data exists, and provides no plausible deniability.
Proton Pass
1
No travel mode. Proton VPN has some anti-censorship features, but Proton Pass itself has no border crossing protections.
5. Session sharing (live session without password reveal)
Evaluates the ability to share access to an account via a live browser session where the recipient never sees the underlying credentials.
Vendor
Score
Justification
PassAgent
10
Spins up a cloud browser (Hyperbrowser/Browserbase) with recording disabled. AI login agent enters credentials and handles 2FA. Browser is locked to a single tab (target domain only). Optional view-only mode and watermarking. Secure live preview URL with Redis-backed TTL. Pause, resume, revoke, extend controls. Scheduled recurring sessions. The recipient never sees, intercepts, or stores the password.
1Password
1
No session sharing. Sharing reveals the password to the recipient.
Bitwarden
1
No session sharing. Shared items expose credentials to recipients.
LastPass
1
No session sharing. Shared credentials are visible to recipients.
Dashlane
1
No session sharing. Standard password sharing only.
NordPass
1
No session sharing capability.
Keeper
1
No session sharing. One-time share links still reveal the credential.
Proton Pass
1
No session sharing. Sharing reveals credentials to recipients.
Evaluates automation of the password reset lifecycle: navigation, form filling, verification code extraction, CAPTCHA handling, and vault update.
Vendor
Score
Justification
PassAgent
10
Three-phase fallback: (1) BQL saved scripts for 50+ services in under 10 seconds, (2) Universal Vision AI agent using Claude to analyze screenshots and navigate arbitrary reset flows, (3) Local Playwright with CAPTCHA escalation (headless to headed to live session handoff). Automated Gmail polling extracts OTP codes and verification links. New password generated, set, and saved to vault in a single chat command.
1Password
1
Watchtower identifies weak/compromised passwords but provides no automation for changing them. User must manually visit each site.
Bitwarden
1
No password reset automation. Reports weak passwords but offers no remediation tooling.
LastPass
1
Had an “auto-change” feature for a small number of sites, but it was deprecated due to reliability issues. No current automation.
Dashlane
1
Previously offered a “Password Changer” for limited sites, but the feature has been largely phased out. No AI-driven reset.
NordPass
1
No password reset automation of any kind.
Keeper
1
BreachWatch identifies compromised passwords but provides no automation for changing them.
Proton Pass
1
No password reset automation. Pass Monitor identifies weak passwords without remediation.
Evaluates whether the vendor implements Shamir’s Secret Sharing for distributed vault recovery, the mathematical rigor of the implementation, and the flexibility of threshold configurations.
Vendor
Score
Justification
PassAgent
10
Full Shamir implementation over GF(2^8) with the AES irreducible polynomial (0x11B). Recovery key split into K-of-N shares using random polynomials. Exact byte arithmetic via Russian peasant multiplication. Lagrange interpolation for reconstruction. Family guardian system distributes shares encrypted with each guardian’s vault key. Configurable thresholds based on family size (easy mode vs secure mode). Information-theoretic security: fewer than K shares reveal zero information.
1Password
3
Recovery Kit (printed Secret Key + master password). Family organizer can recover family members. No Shamir-based splitting. Recovery is binary: you have the kit or you do not.
Bitwarden
2
Emergency Access feature with configurable waiting period. Trusted contact can request access; if the owner does not reject within the wait period, access is granted. Not Shamir-based; single-point recovery.
LastPass
2
Emergency Access with a waiting period (similar to Bitwarden). Limited to one-time access grant. No threshold-based recovery.
Dashlane
2
Recovery key only. No distributed recovery mechanism. Account recovery requires the single recovery key or master password.
NordPass
2
Recovery code generated at signup. Single-factor recovery. No distributed or threshold-based options.
Keeper
2
Account recovery via security questions or admin-initiated recovery for enterprise. No Shamir-based splitting.
Proton Pass
2
Proton account recovery mechanisms. No Shamir-based vault recovery. Recovery depends on Proton account access.
Evaluates the depth and breadth of phishing protection, from domain matching to visual similarity detection.
Vendor
Score
Justification
PassAgent
9
Four-layer anti-phishing pipeline: (1) exact domain matching against stored credentials, (2) Levenshtein distance fuzzy matching for typosquatting detection (e.g., faceb00k.com vs facebook.com), (3) Unicode homograph detection (Cyrillic/Latin character substitution), (4) known-phishing domain blocklist with real-time updates. AutoFill refuses to populate credentials on non-matching domains. Loses 1 point as the system is newer and has less field-tested coverage than mature solutions.
1Password
7
Strict domain matching for AutoFill. Watchtower warns about compromised sites. No fuzzy typosquatting detection or Unicode homograph analysis. Relies on exact URL matching.
Bitwarden
5
URI matching for AutoFill (exact, host, starts-with, regex). No fuzzy matching, no homograph detection, no phishing domain blocklist.
LastPass
4
Basic URL matching for AutoFill. Has been the target of phishing attacks exploiting its pop-up UI. Limited proactive phishing detection.
Dashlane
6
Phishing alerts for known compromised websites. Domain matching for AutoFill. Dark web monitoring for credential exposure. No fuzzy or homograph detection.
NordPass
5
Basic URL matching for AutoFill. Data breach scanner checks for exposed credentials. No multi-layer phishing detection.
Keeper
5
Exact URL matching. BreachWatch monitors for exposed credentials. No typosquatting or homograph detection layers.
Proton Pass
6
Proton Sentinel (AI-driven security monitoring) for high-value accounts. Domain matching for AutoFill. Benefits from Proton’s broader security infrastructure. No dedicated homograph or fuzzy matching layer in Pass itself.
Evaluates whether the vault can contain decoy credentials that trigger alerts when used by an attacker, providing active breach detection rather than passive monitoring.
Vendor
Score
Justification
PassAgent
10
Built-in honeytoken system. Canary credentials generated from templates (banking, corporate VPN, AWS, crypto exchange). Each canary embeds a unique honeypot ID as a tracking URL in the password field. If an attacker exfiltrates and uses a canary credential, the tracking URL is accessed, triggering in-app notification, email alert, and optional webhook. Canaries are indistinguishable from real entries to an attacker.
10. Biometric unlock (WebAuthn PRF vs convenience shortcuts)
Evaluates how biometric unlock is implemented: whether it derives a cryptographic key from the biometric ceremony (WebAuthn PRF) or merely gates access to a cached key.
Vendor
Score
Justification
PassAgent
9
WebAuthn PRF extension support: the biometric ceremony produces a pseudo-random output that feeds into key derivation, binding the vault key to the physical authenticator. Falls back to platform biometric gating (Touch ID / Face ID) on iOS where PRF is not available. Device secret (2SKD) provides an additional binding factor stored in sessionStorage.
1Password
8
Biometric unlock on all platforms (Touch ID, Face ID, Windows Hello, fingerprint). Passkey-based sign-in via WebAuthn. Well-implemented but biometric typically gates a cached key rather than deriving a new one.
Bitwarden
7
Biometric unlock on mobile and desktop. WebAuthn for 2FA. Biometric gates the master key stored in secure enclave. No PRF-based key derivation.
LastPass
6
Biometric unlock on mobile. Less sophisticated implementation. Has had security issues with biometric bypass in the past.
Dashlane
7
Biometric unlock on all platforms. Passkey support for authentication. Standard biometric gating of cached credentials.
NordPass
7
Biometric unlock via platform APIs. Passkey support. Standard implementation without PRF-based derivation.
Keeper
7
Biometric unlock across platforms. Uses platform secure storage for key protection. Standard biometric gating model.
Proton Pass
6
Biometric unlock on mobile. Passkey support for Proton account authentication. Implementation is newer with less platform coverage.
Evaluates the ability to generate full synthetic identities for privacy-preserving account signups, including email alias integration and identity lifecycle management.
Vendor
Score
Justification
PassAgent
10
Full synthetic identity generation: fake name (80+ first names, 50+ surnames), derived username, date of birth, address, and phone number. Integrated email alias creation via SimpleLogin, Addy.io, and Fastmail JMAP MaskedEmail API. Full lifecycle management: create, use for signup, and nuke (delete alias + purge all associated data).
1Password
2
Fastmail masked email integration. No synthetic identity generation. No address, name, or phone generation. Limited to email aliases only through a single provider.
Bitwarden
1
Username generator (random, catch-all email, forwarded alias via SimpleLogin/AnonAddy/Fastmail). No full identity generation.
LastPass
1
No identity generation or email alias features.
Dashlane
1
No disposable identity generation. Basic password generator only.
NordPass
1
No identity generation features.
Keeper
1
No identity generation features.
Proton Pass
5
Hide-my-email aliases powered by SimpleLogin (Proton-owned). Generates unique email aliases for each signup. No full synthetic identity (name, address, DOB). Strong in the email alias domain but limited in scope.
Evaluates automated credential transfer to designated contacts after a configurable inactivity period, including warning notifications and triggering mechanisms.
Vendor
Score
Justification
PassAgent
10
Configurable inactivity period (7—365 days). Auto check-in on every login. Progressive warning notifications at configurable intervals (default: 7, 3, and 1 day before trigger). Automatic credential transfer to designated contacts via RSA-OAEP encrypted sharing. Personal message delivery. Full notification chain can be tested before relying on it.
1Password
1
No dead man’s switch. Family organizer can facilitate account recovery but there is no automated inactivity-based transfer.
Bitwarden
3
Emergency Access with a waiting period (1—720 hours). Trusted contact requests access; if the owner does not reject, access is granted. Conceptually similar but requires the contact to initiate, not the system. No progressive warnings to the owner.
LastPass
3
Emergency Access with configurable wait time. Similar to Bitwarden: contact-initiated, not system-initiated. No progressive notification chain.
Dashlane
1
No dead man’s switch or emergency access feature.
NordPass
1
No dead man’s switch feature.
Keeper
1
Emergency Access feature for enterprise. Not available for individual plans as a configurable inactivity-based trigger.
Proton Pass
1
No dead man’s switch. Proton account recovery exists but is not a credential transfer mechanism.
Evaluates family credential sharing, family-specific vault management, and whether family recovery uses threshold cryptography rather than single-admin recovery.
Vendor
Score
Justification
PassAgent
10
Family vault with Shamir threshold recovery. Family Recovery Secret (256-bit random) is split into K-of-N shares distributed to guardians. Each guardian’s share is encrypted with their vault key. Recovery requires K guardians to contribute decrypted shares via Lagrange interpolation over GF(256). Configurable thresholds: easy mode (lower K) vs secure mode (higher K). No single point of failure.
1Password
7
Family plan with shared vaults. Family organizer can recover member accounts. Mature implementation with good UX. Recovery depends on the family organizer (single point of control), not threshold cryptography.
Bitwarden
6
Organization vaults for family sharing. Collections for access control. Admin-based recovery. No threshold recovery scheme.
LastPass
5
Family plan with shared folders. Emergency access for recovery. Admin-based recovery model. Limited to 6 family members.
Dashlane
6
Family plan (up to 10 members). Shared spaces for credential sharing. Admin-initiated recovery. No threshold cryptography.
NordPass
2
Family plan available but with basic sharing. No family-specific recovery mechanisms. No threshold recovery.
Keeper
6
Family plan with role-based access. Record-level sharing. Admin-initiated recovery for family members. No threshold recovery.
Proton Pass
5
Family plan available. Vault sharing between family members. Recovery tied to Proton account recovery. No threshold-based family recovery.
Evaluates mechanisms for granting vault access to trusted contacts in emergency situations, including the security of the handoff and configurability.
Vendor
Score
Justification
PassAgent
10
Combines Dead Man’s Switch (system-initiated after inactivity), Shamir threshold recovery (distributed, no single point), and standard encrypted sharing (RSA-OAEP re-wrapping with expiration). Three independent emergency access paths ensure redundancy. Configurable granularity: share specific items, categories, or entire vault.
1Password
6
Family organizer recovery. Recovery Kit (printed). No automated inactivity-based transfer. Emergency access depends on having the printed Secret Key.
Bitwarden
7
Dedicated Emergency Access feature. Configurable wait period. Trusted contact can view or takeover the vault. Well-implemented but single-contact, non-threshold.
LastPass
5
Emergency Access with wait period. Limited configurability. Single trusted contact at a time. History of security incidents reduces trust in the mechanism.
16. Passkey management (extension as authenticator)
Evaluates passkey (WebAuthn/FIDO2) support, whether the browser extension can act as an authenticator, and the depth of passkey lifecycle management.
Vendor
Score
Justification
PassAgent
9
Browser extension acts as a FIDO2 authenticator for passkey creation and authentication. Passkeys stored in the encrypted vault with per-item encryption. Cross-device sync via vault replication. Passkey metadata (RP ID, user handle, credential ID) encrypted alongside the key material. Travel mode can hide passkeys. Loses 1 point for newer implementation with less ecosystem testing.
1Password
8
Full passkey support across all platforms. Extension acts as authenticator. Mature implementation with wide site compatibility. Passkeys synced across devices. Industry leader in passkey adoption.
Bitwarden
7
Passkey support in browser extension and mobile apps. Can store and use passkeys for authentication. Solid implementation with growing site compatibility.
LastPass
4
Passkey support announced but implementation is limited. Browser extension has basic passkey storage. Not yet a full authenticator replacement.
Dashlane
7
Passkey support with browser extension as authenticator. Good implementation across platforms. Active in FIDO Alliance.
NordPass
6
Passkey support available. Basic creation and authentication flow. Less mature than leading implementations.
Keeper
5
Passkey support in development. Basic WebAuthn support for vault authentication. Not yet a full passkey manager replacement.
Proton Pass
7
Passkey support with creation and authentication. Open-source implementation allows verification. Cross-platform sync through Proton infrastructure.
Evaluates the sophistication of the threat detection engine: number of anomaly types detected, behavioral profiling, and automated response actions.
Vendor
Score
Justification
PassAgent
9
Detects 11 anomaly types: impossible travel, new device/browser fingerprint, unusual access time, credential spray (IP/password/subnet), IP reputation, rapid login failures, session hijacking indicators, account enumeration, bulk export detection, and API abuse. Behavioral profiling with four weighted components (time, velocity, resource, session drift). 14-day learning period. Sliding-window Redis counters. Automated actions: allow, flag, step-up auth, or block.
1Password
6
Watchtower monitors for compromised passwords, weak passwords, unsecured websites, and missing 2FA. Business tier adds sign-in attempt monitoring. No behavioral profiling or credential spray detection.
Bitwarden
4
Vault health reports (weak, reused, exposed passwords). Basic login attempt logging for enterprise. No real-time anomaly detection or behavioral analysis.
LastPass
3
Basic security dashboard. Dark web monitoring via HIBP. Login notification emails. No behavioral profiling, no spray detection, no impossible travel detection.
Dashlane
5
Dark web monitoring. Password health score. Business tier adds basic login monitoring. No multi-dimensional anomaly detection.
NordPass
3
Data breach scanner. Password health checker. No anomaly detection or behavioral profiling.
Keeper
4
BreachWatch dark web monitoring. Admin console with login audit (enterprise). Basic activity reporting. No behavioral analysis.
Proton Pass
3
Proton Sentinel (AI-driven monitoring) for Proton accounts, but not specific to Pass vault operations. Pass Monitor checks for weak/reused passwords.
Evaluates source code availability, auditability, and community verification of cryptographic implementations.
Vendor
Score
Justification
PassAgent
3
Not fully open source. Detailed technical documentation (this whitepaper) provides transparency into cryptographic design. Plans for open-source client libraries. Security architecture is documented at protocol level.
1Password
2
Closed source. Publishes detailed security whitepapers and undergoes third-party audits (Cure53, SOC 2). Transparency through documentation rather than source code.
Bitwarden
10
Fully open source: server, web vault, browser extensions, mobile apps, CLI, and desktop apps. AGPL-3.0 and GPL-3.0 licenses. Third-party security audits (Cure53). Gold standard for open-source password management.
LastPass
1
Closed source. Limited security documentation. Third-party audit results are not always publicly disclosed. 2022 breach eroded trust.
Dashlane
1
Closed source. Publishes a security whitepaper. Third-party audits conducted but results not always publicly available.
NordPass
1
Closed source. Audited by Cure53. Limited public documentation of cryptographic internals.
Keeper
1
Closed source. SOC 2 and ISO 27001 certified. Publishes a security architecture document but source code is not available.
Proton Pass
7
Open-source clients (web, browser extensions, mobile). Server code is closed. All Proton apps undergo independent security audits. Benefits from Proton’s open-source culture.
PassAgent scores 168 out of a possible 180 points (93%), nearly double the next-closest competitor (1Password at 84 points, 47%). This gap is not attributable to a single category but to PassAgent’s breadth of innovation across every security dimension.Google Passwords scores lowest at 49 points (27%) — a direct consequence of not being zero-knowledge by default. When Google holds your encryption keys and can produce your passwords under subpoena, the entire security model is fundamentally different. Apple Passwords performs better at 64 points (36%) thanks to end-to-end encryption, but still lacks advanced features like travel mode, session sharing, and threshold recovery.The nine competitors cluster between 27% and 47%. Their scores are similar because they compete on the same set of established features: zero-knowledge encryption, password sharing, breach monitoring, and cross-platform coverage. PassAgent competes on a different axis entirely, introducing eight categories where no other vendor scores above 1:
Live session sharing (zero-knowledge credential use without reveal)
PassAgent’s primary weakness is open-source transparency (3/10). This is a strategic tradeoff, not a technical limitation, and is partially offset by comprehensive documentation and planned open-source client releases. Platform coverage is also narrower than 1Password or Bitwarden, but expanding.
12. Why PassAgent — features no other vendor offers
The following seven capabilities represent architectural innovations that are absent from every competing password manager. These are not incremental improvements over existing features. They are new categories of security and automation that PassAgent introduced.
12.1 Cryptographic travel mode (key re-wrapping, not hiding)
Every other vendor’s “travel mode” (where it exists at all) works by removing or hiding vault data from the device. This is a visibility toggle. A forensic examiner with disk access, backup access, or memory analysis tools can potentially recover the hidden data.PassAgent’s Travel Fortress operates differently. When travel mode is enabled, each hidden item’s per-item encryption key is unwrapped from the vault key and re-wrapped under a separate travel key derived from a Travel PIN and a server-held salt. The vault-key-wrapped version is permanently deleted. The item is now encrypted with a key that cannot be derived without both the PIN (user memory) and the salt (server, time-locked).What this means in practice: Even if a border agent compels you to unlock your vault and enters the master password, the hidden items are cryptographically absent. They are not hidden files that can be found with forensic tools. They are ciphertext whose decryption key physically does not exist on the device or the server (until the time-lock expires). This is the difference between hiding a document in a drawer and burning the only key to a safe for 72 hours.
Password sharing has a fundamental weakness: once the recipient has the password, you have lost control. They can store it, share it further, or use it for purposes you did not intend.PassAgent’s session sharing eliminates this problem by never revealing the password. Instead, it spins up a sandboxed cloud browser, has an AI agent log in using your credentials, locks the browser to a single domain (no address bar, no new tabs), and sends the recipient a live preview URL. The recipient can use the service — watch Netflix, browse a dashboard, read emails — without ever seeing, intercepting, or storing the credential.No other password manager offers this. Every competitor’s sharing feature reveals the credential to the recipient.
Password rotation is the single most neglected security practice. Users know they should change passwords regularly. They do not, because it requires navigating to each site, finding the change-password form, generating a new password, handling verification, and saving the update.PassAgent reduces this to a single chat command. The three-phase fallback engine (BQL saved scripts, Universal Vision AI agent, Local Playwright) handles the entire lifecycle: navigation, form detection, password generation, old password entry, new password confirmation, email/SMS verification code extraction, CAPTCHA handling, and vault update. Fifty or more services can be reset in a single session.No other password manager automates password resets. Dashlane and LastPass previously attempted limited auto-change features, but both deprecated them due to reliability issues. PassAgent’s AI-driven approach (using Claude Vision for arbitrary site navigation) is fundamentally more capable.
Breach monitoring services like HIBP tell you after your credentials appear in a public dump. This is reactive. The breach has already happened, the data has already spread, and you are learning about it weeks or months later.PassAgent’s vault canaries provide proactive breach detection. Honeytoken credentials — convincing fake entries generated from templates (banking, VPN, cloud services, crypto exchanges) — are placed in your vault alongside real entries. Each canary embeds a unique tracking URL in its password. If an attacker exfiltrates your vault and attempts to use a canary credential, the tracking URL fires, instantly alerting you via in-app notification, email, and optional webhook.No other password manager offers vault canaries. This is an offensive security technique (borrowed from network security honeypots) applied to personal credential management.
Most password managers protect against phishing through exact domain matching: if the current site’s URL does not match the stored URL, AutoFill refuses to populate. This stops basic phishing but fails against sophisticated attacks.PassAgent implements four layers:
12.6 V3 per-item envelope encryption with function separation
Most password managers encrypt vault items with a single key derived from the master password. If that key is compromised, all items and all functions (encryption, search, indexing) are exposed simultaneously.PassAgent’s V3 encryption pipeline derives four independent sub-keys from the HKDF output:
Each vault item has its own random 256-bit AES key, wrapped with encKey via AES-KW. Compromising one sub-key does not expose the others. This is a materially different architecture from competitors that use a single derived key for all vault operations.
Even with a strong KDF like Argon2id, an attacker who obtains both the encrypted vault and the master password can derive the vault key offline. PassAgent’s OPRF layer adds a server-side secret to the key derivation chain.The client sends a blinded HMAC request (so the server never sees the vault key material). The server evaluates it against a per-user OPRF secret and returns the result. The client mixes this response into the final key derivation via HKDF. The result: even with the master password AND a full database dump, the attacker cannot derive the vault key without the OPRF server secret. Combined with rate limiting (5 attempts per hour), this makes offline brute-force infeasible.No other consumer password manager implements OPRF. 1Password’s SRP provides authentication security but does not augment key derivation with a server-side secret in the same way.
PassAgent is the only password manager that combines all of: cryptographic travel mode with duress resistance, zero-knowledge session sharing, AI-powered password reset automation, Shamir threshold recovery, vault canaries, 4-layer phishing detection, V3 per-item envelope encryption with function separation, and OPRF server-augmented key stretching. These capabilities represent a generational advance over the current state of the art in personal credential management.
Zero-trust architecture. Server never receives the vault key or plaintext credentials. All encryption/decryption occurs client-side via Web Crypto API.
Database breach
AES-256-GCM with per-item 256-bit keys. Vault keys derived client-side through Argon2id (64 MiB). Row-Level Security policies enforce per-user data isolation.
Man-in-the-middle
TLS 1.3 for all API communication. CSRF tokens protect mutation endpoints. SameSite cookie policy. iOS certificate pinning.
Credential stuffing
Fail-closed rate limiting. Credential spray detection across IP, password, and subnet dimensions. Access anomaly detection flags unusual patterns.
Coerced unlock
Travel Fortress with split-knowledge key derivation, server-enforced time-locks, duress PIN (fake vault + silent alert), and trusted contact approval.
