At NordPass, our mission is to develop affordable, secure, and easy-to-use cybersecurity tools. We aim to deliver simpler, cleaner, faster, and safer solutions. A crucial step toward achieving our goal was an independent audit, which helped us build a more reliable and robust password manager.
With the help of pen testers, we identified potential issues before hackers could exploit them, patched them, and ensured even higher security standards for our users.
The public now has the opportunity to get an independent assessment of the security of NordPass and form their own opinion.
This is why we started this audit even before NordPass’ public launch.
The results
We’re proud to tell you that NordPass has successfully finished an independent security audit by Cure53, a well respected third-party auditor. They looked into our cryptographic premise, source code, the NordPass background application, and its codebase. After a few months of thorough analysis, they finalized their findings by saying:
”Numerous positive observations have been made in relation to the level of detail and adherence to the specification, clarity and readability of the Go code and implementation, overall security of the desktop application, browser extension, as well as iOS and Android branches of the NordPass applications.”
- Cure53 Report, 2020 February
What did the auditors check?
The white-box methodology was chosen for the audit. That means we provided the Cure53 team with information about NordPass, such as access to various materials, documentation, source code, and other data needed for NordPass operations. According to their expertise and the scope of work, seven testers were assigned to four target areas:
A review of the cryptographic premise;
A pen test and a source code audit of the software (desktop and mobile apps);
A pen test and a source code audit of the NordPass background application and its codebase.
By testing the areas mentioned above, the API touchpoints were also reviewed.
Over the four stages of the audit, the Cure53 team found nine vulnerabilities, and additional eight issues were documented as general weaknesses with low potential of exploitation. Our team fixed them while auditors continued inspecting other target areas.
The reporters confirmed that all issues have been eliminated, and the fixes verified as appropriate. They were also
”impressed with the efforts [the NordPass team put] into minimizing the attack surface, which has clearly been a notable priority.”
What does this mean to you?
Audited security. We care about security, and you don’t need to just take our word for it. Independent auditors think so too.
A new feature - Trusted Contacts. Password sharing is one of the key features offered by password managers — we also provided this market standard to our users. However, this feature was identified as an area for improvement due to a possible chance of man-in-the-middle attacks.
To fix this issue we introduced a new feature, Trusted Contacts, which allows users to exchange encryption keys manually. It eliminates any chance of man-in-the-middle attacks, so now NordPass users can share their passwords in full safety. Trusted Contacts was released at the end of February.
We continue working on NordPass with the security-first approach. So we’ve recently launched a few more mobile features, such as OCR scanner that imports your credit card details and notes, Biometrics, and Autofill function. Check them out!
Don’t have NordPass?
We would also like to thank Cure53 for their thorough analysis and helping us to achieve even higher security standards. For more details, please read the audit summary written by Cure53.