Security Architecture

Trust is earned through transparency. Here is a detailed look at how Shhh protects your most sensitive data.

Zero-Knowledge Encryption

Shhh is a zero-knowledge platform. The data you store in your vault (passwords, secure notes, credit cards) is encrypted entirely on your client device (your browser or mobile phone) before it is sent over the network to our servers.

We only store the resulting encrypted ciphertexts. The decryption keys never leave your device, meaning that even if our databases were completely compromised, the attackers would only find indecipherable mathematical noise.

Authentication & Identity

Traditional password managers rely on a single Master Password. If this password is weak, reused, or captured by a keylogger, your entire vault is compromised. Shhh eliminates the Master Password entirely.

Instead, we delegate identity verification to Google OAuth. We trust the security engineers at Google to handle login security, suspicious login detection, and account recovery. To add an extra layer of defense, we enforce an internal Two-Factor Authentication (2FA) check before allowing access to the vault.

Strict Session Management

Decrypted secrets are held purely in your device's volatile memory (RAM) while your vault is unlocked. We enforce a strict, non-negotiable 60-minute session limit. Once the session expires, the vault locks, and the memory containing your decrypted secrets is cleared.