RoboForm Security

Your Passwords Are Private

Your passwords are encrypted with your own secret key—the RoboForm Master Password. With RoboForm, all decryption of your RoboForm data happens on your device and not on our servers. No RoboForm data can be accessed without the Master Password. Because your Master Password does not transmit to our servers, we have no way of knowing what it is and subsequently no way of accessing your data.

Showing how RoboForm can fill forms with one click

Keeping You Secure

Strong Encryption

To protect against dictionary, brute force, or other attacks, we use AES256 bit encryption with PBKDF2 SHA256. PBKDF2 is a key stretching algorithm used to hash passwords with a salt.

Robust Requirements

In addition to not sending and storing your Master Password, we require a minimum Master Password length of 8 characters, with a minimum of 4 nonnumeric characters.

Multi-Factor Authentication

Add a second authentication step to your RoboForm account in the form of a one-time password (OTP) sent via email or SMS, or via TOTP based two-factor authentication (2FA).

Security Center

RoboForm calculates your Security Score based on the number of reused passwords, duplicated Logins (username and password combinations), and the strength of your individual passwords.

Secure Sharing

RoboForm utilizes a public key exchange mechanism between sharing parties which ensures local encryption / decryption, as well as end-to-end encryption. The sender can set the recipient's permission level for their shared files and folders.

Emergency Access

Grant a trusted contact access to your RoboForm data in the event of death, incapacitation, or simply as a method of account recovery in case you forget your Master Password.

Frequently Asked Questions

What if RoboForm servers were to be hacked? Would my data be vulnerable? Our servers are located at a secure US-based facility with a 99.99% uptime guarantee by the hosting service provider that uses double redundancy for power and connectivity. Your RoboForm data is always stored encrypted on our servers with AES256, the strongest available encryption. Am I required to store my data on your servers? No. You can turn off the Sync functionality at any time. By doing so, your data will only be stored locally on your device. Certain features such as Secure Sharing and Web Access, however, do require Sync to be on. Do you see my Master Password when I access my data through the web interface? All RoboForm data is encrypted and decrypted locally and never on our servers. This occurs whether accessing your data via the RoboForm web portal, the local application, or the browser extension. How does RoboForm calculate individual password strength? RoboForm calculates individual password strength using zxcvbn Most password strength meters calculate purely based on counts of lowercase letters, uppercase letters, digits, and symbols (LUDS). In addition to this, zxcvbn incorporates dictionary entries, common names, as well as common passwords and their variants. In effect, the password strength you see in RoboForm Security Center is reflective of how long it would take a good password cracker to guess the password, not just an LUDS score. A detailed paper on zxcvbn can be found here. Does RoboForm have a built-in password generator? The random password generator included with RoboForm is a tool that frees you from having to constantly come up with unique passwords for each of your sites. It works by automatically generating strong and random passwords that include combinations of numbers, uppercase and lowercase letters, and special characters. These combinations can be adjusted to fit different sites' unique password requirements.

Get RoboForm Free Start Business Trial

Security You Can Trust