Password Protection

Secret Server uses AES 256 encryption (Advanced Encryption Standard) 256 bit, the Rijndael algorithm. This encryption is approved by the US Government and was declared for use by NIST after a 5 year standardization process. Secret Server uses AES 256 because it is the strongest encryption available for password protection.

Secret Server hashes and salts user passwords using a randomly generated salt and the SHA512 hashing algorithm. SHA1 has recently been shown to not be as secure as previously thought. SHA1 is still secure given the available computing power of today's computers but why take chances? Secret Server changed over in version 2.1 to become an elite, secure password manager.

Encryption Key Per Installation

Secret Server generates a unique encryption key during installation. This key in turn is encrypted and kept in the encryption.config file. The combination of this file and your Secret Server database would allow you to reconstitute your system at any point. Backup your encryption.config file and your database! (in fact, you might as well just backup your SecretServer application folder and the database for easy moving or restoring of the application).

The encryption key is used when encrypting/decrypting data from the database using the AES algorithm.

Login password protection

Secret Server has various options regarding user login to tighten security. You can choose from a number of options on the Configuration screen for your Secret Server to:

• Require username/password on every login if desired
• Block browser autocomplete functionality if desired
• Incorporate authentication against your Active Directory server
• Allow "Remember Me" for a configurable time period or disable it entirely
• Choose the number of login failures before a user is marked as inactive

We are constantly making strides to enhance Secret Server as a secure password manager. Future functionality for Secret Server will include optional Two Factor Authentication.