Below are the answers to certain frequently asked questions about the security of RoboForm.
I can see my passwords when I use RoboForm. Does that mean Siber Systems can as well?
No, because when you install RoboForm, all decryption of your RoboForm data happens on your device and not on our servers. No RoboForm data can be accessed without the Master Password. We have no way of knowing what your Master Password is because RoboForm does not transmit it to our servers.
What mechanism do you use to protect my encrypted RoboForm data?
To protect against dictionary, brute force, or other attacks, we use AES256 bit encryption with PBKDF2 SHA256, 4096 iterations. PBKDF2 is a key stretching algorithm used to hash passwords with a salt.
We also require a minimum Master Password length of 8 characters, with a minimum of 4 nonnumeric characters.
Does Siber Systems see my Master Password when I access my RoboForm data through the web interface?
No. A similar method to the RoboForm software is employed which allows for local decryption on your local browser, not on our server.
What if Siber Systems were to get hacked? Would my data be vulnerable?
Our servers are located at a secure US-based facility with a 99.99% uptime guarantee by the hosting service provider that uses double redundancy for power and connectivity.
In addition, your RoboForm data is always stored encrypted on our servers with AES256, the strongest available encryption. Even in the unlikely event that our servers were breached, your data is effectively useless without the Master Password to decrypt it.
Am I required to store my data on your servers?
No, you can always turn Sync on or off. However, certain features such as Secure Sharing and Web Access do require it.
How is sharing RoboForm data secure?
We use public-private key encryption for our Secure Sharing feature. This allows you to provide access to your RoboForm data to trusted recipients with different permission levels without sharing your Master Password.
How does RoboForm calculate my Security Score?
Your Security Score is a calculated based on how many reused passwords you have, how many Logins (username and password combinations) are duplicated, and the strength of your individual passwords.
RoboForm calculates individual password strength using zxcvbn , an open source password strength estimator. Most password strength meters calculate purely based on counts of lowercase letters, uppercase letters, digits, and symbols (LUDS). In addition to this, zxcvbn incorporates dictionary entries, common names, as well as common passwords and their variants. In effect, the password strength you see in RoboForm Security Center is reflective of how long it would take a good password cracker to guess the password, not just an LUDS score. A detailed paper on zxcvbn can be found here.