Here’s everything that makes NordPass secure
Learn about all the technologies, certifications, frameworks, and initiatives that ensure NordPass’ security is strong and your company data is well protected.
No credit card required
Personalized session
:format(avif))
:format(avif))
:format(avif))
:format(avif))
:format(avif))
The core elements of NordPass security
Every design choice we make follows a “security-first” approach, so you get strong, reliable protection across the board.
:format(avif))
Zero-knowledge architecture
Built with the zero-knowledge principle in mind, NordPass ensures that no one – not even our company – can see what you and your team store in your vaults. Each user’s data is secured in its own isolated environment to prevent unauthorized access.
End-to-end encryption
NordPass encrypts all your data locally on your device before it’s uploaded to the cloud. That way, even if the organization’s encoded data ends up in malicious hands, it will be completely unreadable to bad actors.
XChaCha20 algorithm
NordPass is currently the only major password manager using XChaCha20 – widely considered the most advanced encryption algorithm available today. It works faster and is easier to implement than other encryption protocols, delivering top-level protection for your most sensitive data.
Bug bounty program
We’re always working to keep our infrastructure and our customers’ data as safe as possible. That’s why we employ white hat hackers to help us find any bugs or weak spots – so we can make NordPass’ security even stronger.
Regular audits
Our product undergoes regular internal reviews and independent third-party security audits. These not only help confirm that our security measures are effective, but also allow us to identify areas for future improvement.
Authentication based on OAuth 2.0
NordPass uses the OAuth 2.0 protocol as its centralized identity provider and authorization server for business authentication to streamline access control and reduce the risk of unauthorized access.
This setup follows official standards from the Internet Engineering Task Force (IETF) and fully aligns with today’s best security practices.
No credit card required
Personalized session
Encryption technology explained
:format(avif))
NordPass uses a multi-layer encryption setup to protect your data. It combines symmetric encryption for vault contents with asymmetric encryption to secure the encryption keys and their exchange.
Each user has a unique pair of encryption keys: a public key and a private key. The public key is kept on NordPass servers and is shareable, while the private key is stored on your device. To keep it safe, your private key is encrypted locally using XChaCha20-Poly1305-IETF.
When you log in with your Master Password, NordPass uses the Argon2id algorithm combined with a 16-byte salt to derive a Master Key, which is used to decrypt your private key.
Once the app is unlocked, your private key is briefly stored in secure memory and used to decrypt the data encryption key (DEK) – a symmetric key that protects your vault contents. The DEK is encrypted with your public key, so only your private key can unlock it. When you lock the app, your private key is wiped from memory to prevent any access.
:format(avif))
Symmetric encryption (secret-key cryptography)
XChaCha20 encrypts data in a continuous stream, offering faster performance than traditional block ciphers like AES – especially when handling large or variable-sized data. Thanks to its lightweight design, XChaCha20 allows for quick encryption and decryption, making it ideal for real-time use cases like password management.
Asymmetric encryption (public-key cryptography)
NordPass uses a combination of X25519 and XSalsa20 encryption for key exchanges, XSalsa20 stream cipher for encryption, and Poly1305 for MAC authentication. X25519 is an elliptic-curve Diffie-Hellman (ECDH) algorithm that allows two parties to securely exchange keys over insecure channels. Similar to XChaCha20, the XSalsa20 stream cipher is highly efficient, offering both speed and security across various hardware platforms. It's especially useful in scenarios where low-latency encryption is critical.
With NordPass, your organization always stays in control of its data. When an employee creates an item, they get instant access to it and can manage it right away. If that employee leaves, their items don’t disappear – they stay with the organization and can easily be reassigned to someone else. Plus, the organization can recover employees’ accounts without any risk of losing data. This is all made possible by public-key cryptography, which keeps your data secure while making management, recovery, and reassignment smooth and hassle-free.
Reliable and secure cloud storage
NordPass is hosted on Amazon Web Services (AWS). As a widely recognized and trusted cloud service provider, AWS uses strong encryption and takes careful measures to keep its servers secure.
Additionally, NordPass stores customer vault items in separate AWS data centers across the US and EU to ensure they’re instantly available and kept secure at all times.
:format(avif))
No credit card required
Personalized session
Other ways we keep your data safe and private
Secure software development life cycle (SSDLC)
At Nord Security, we follow the secure software development life cycle (SSDLC) for every product we build – including NordPass. While the traditional software development life cycle (SDLC) model helps to organize the steps of software development and boost efficiency, the secure SDLC version takes it a step further by adding security checks at every stage. This way, everyone involved is thinking not just about what the software needs to do, but also how to keep it secure.
Logs
App logs are saved on the user’s device and are primarily used for troubleshooting. They do not contain any data that could identify the user or their device. Only the user can view the logs, which can then be shared with the Support team to help identify and fix any issues. Some critical error logs are automatically sent to the API, but only if the user has enabled crash reporting in their settings (such logs are not linked to any account and cannot be used to identify the user).
Data privacy
Your privacy is our priority. At NordPass Business, we take all the necessary steps to secure your data, whether it’s technical, physical, or administrative. When providing our services, we are committed to the principles of data privacy laws, making sure all data is processed legally, kept to a minimum, and handled with a focus on managing risks. You can read more about how we protect your data in our Privacy Policy.
:format(avif))
Get started with NordPass today
Access your accounts easily and securely from anywhere, on any device.
No credit card required
Personalized session
Frequently asked questions
Yes, NordPass is generally safe to use. It stands out as a reliable, continuously improving, and secure credential management solution thanks to its strong technological foundations, including zero-knowledge architecture, end-to-end encryption, the XChaCha20 algorithm, an encrypted password vault, and AWS cloud storage; industry certifications, such as ISO 27001 and SOC 2 Type 2; and ongoing security initiatives, including internal and external audits, a bug bounty program, and data privacy compliance.