Passbolt: Open-source password manager for security-conscious organizations
In this Help Net Security interview, Kevin Muller, CEO at Passbolt, delves into the critical concerns linked to password usage, outlines how the Passbolt password manager guarantees the utmost level of security for businesses, highlights its features in the competitive landscape, sheds light on how Passbolt meets the distinct requirements of teams and organizations, and more.
What are the main issues associated with using passwords, and how do these problems impact online security and user experience?
The most common issue, even in 2023, is that people are still choosing weak passwords – using simple words or compromised passwords. Users consistently use the same password for multiple accounts, making it easier for attackers to gain access to other systems after one has been compromised.
Some issues have nothing to do with the user’s choice of password, such as phishing attacks, where users are misled into revealing passwords. This can prove to be very costly in the form of identity theft, financial loss, or a complete loss of access. Passwords are frequently stored on servers, and some services continually fail to implement best security practices for password storage or account recovery procedures.
MFA providers can provide an extra layer of security, but some are vulnerable to various forms of attack. All of this leads to frustration, stress, and even situations where users simply give up on following security best practices and hope for the best.
This security fatigue is further exacerbated by policies that force users to change passwords frequently or to use complex, hard-to-remember passwords. All is not lost though; New initiatives such as passkeys aim to address these issues.
How does Passbolt ensure the highest level of security for organizations?
Passbolt is developed using proven security standards like OpenPGP and complies with security auditing standards such as SOC2 Type II. All of our security practices meet or exceed industry standards. The source code is regularly audited by the reputable pentesters such as Cure53 to identify and mitigate any potential security risks.
Internally at Passbolt we take security very seriously. Our team is experienced and trained in handling sensitive data, adhering to strict security standards and preventing potential social engineering threats. We also have a security model that is quite different from other password managers.
In what ways does Passbolt’s security model set it apart from other password managers on the market?
Passbolt is truly reinventing the password manager security model. Every aspect of Passbolt is designed to put users in control of their own data, while protecting them from a wide range of potential threats.
One of the most notable ways Passbolt achieves this is by using a private key system. Unlike traditional password managers, Passbolt requires a randomly generated private key that is truly independent of the end-user password. Even if an attacker manages to trick users into providing their passphrase they still won’t be able to access their account. By design it’s impossible for attackers to use popular passphrases from previous breaches to gain access, even if MFA is not enabled.
Similarly a lot of people ask us about our mandatory browser extension, which is a central part of our security model. Why is it mandatory? Well, for an even higher level of security, an attacker with access to the server cannot change the sensitive code of the application. By separating these, Passbolt ensures cryptographic code integrity and protects against phishing. As an added bonus, the extension offers autofill and quick access to your resources!
All data is encrypted using the OpenPGP standard, which is an interoperable format. This means that it is possible to access and decrypt Passbolt data directly with other tools that are by default present on most Linux systems (curl and gnupg for example). It offers other benefits, for example advanced users can choose from several secure algorithms to encrypt their data. And because Passbolt is open source, every aspect of the security model is transparent and auditable. This is what we call radical openness. Security experts can (and do) audit Passbolt for any potential risks, helping to enhance the overall security of the platform.
Finally, Passbolt is designed not to “phone home”, e.g. to not transmit by default any user telemetry information back to us. Your information remains private and secure, just how it belongs.
How does Passbolt cater to the specific needs of teams and organizations compared to password managers focused on individuals?
What started as a conversation about the secure collaboration issues we faced as a digital agency turned into what Passbolt is today. In the development of Passbolt, it was important to us that the features specifically addressed the issues that teams and organisations have with most password managers.
An important feature within the platform is auditability. With Passbolt, organisations can track who has accessed which resources and when they were last accessed. This feature is important for teams to maintain accountability and security.
The ability to share resources within Passbolt is incredibly granular. Users can control who has access to resources at every single level, no matter how complex. There’s no ‘one size fits all’ organisational structure, and access control levels should reflect that.
Passbolt has a robust community, constantly improving documentation, and our team is an excellent resource if users ever find themselves in need of support. Password management can feel stressful when you have an entire organisation full of them, but no matter how daunting, our team makes it effortless.
What are some of the unique features of Passbolt that enable the platform to be versatile enough to run on a Raspberry Pi?
Part of what makes Passbolt versatile enough to run on the Raspberry Pi is the platform’s unique Linux roots. The foundational components are super easy to use and work seamlessly with the Linux OS that’s standard on all Raspberry Pi devices. Passbolt is designed with simplicity in mind – optimised for a low footprint and uses minimal system resources such as CPU and memory. Making it perfect for running on devices with limited processing power, as it won’t hog all the resources and slow things down.
Passbolt is also open source, which makes it ideal for use on mostly any Linux device. Everyone can access the source code, it’s freely available for users to modify and even redistribute if they choose. This empowers a community of users to contribute knowledge and expertise to make Passbolt even better – especially when it comes to customisation and optimisation for specific hardware such as the Raspberry Pi.
You’ve recently been accepted into the Google for Startups Growth Academy for Cybersecurity. What do you expect from this opportunity?
We’re really grateful for the opportunity to meet some experienced mentors and advisors from Google. It’s going to be a great chance to network – specifically since Google is already a passkey leader (with android and browser extension APIs). We can’t wait to soak up all the knowledge and insights they have to offer on other topics too.
And we’re not just excited about meeting the folks at Google. We’re also thrilled to connect with other cybersecurity entrepreneurs from across Europe who may be experiencing similar challenges and opportunities. It’s going to be a great chance to learn from each other and build some valuable connections.
Working closely with Google and peers, engaging with a diverse community will help Passbolt gain new perspectives that can help us achieve long-term success. All in all, we’re feeling super lucky to be part of the program and we’re excited to see where it takes us.