Hey everyone,
I have been using Passbolt for a while now & I have to say, it is been a game-changer for managing passwords securely. That said, I want some insights from the community on best practices for keeping everything as secure as possible.
Obviously, strong passwords and two-factor authentication are a must but are there any other lesser-known security features or configurations that you all recommend? Are there server settings, browser extensions or even cybersecurity habits that work well with Passbolt?
how do you handle backups and updates to ensure there is no data loss or vulnerabilities?? I want to hear from both experienced users & newcomers on what works best for you.
I have also been diving deeper into security in general, and I’m curious—does using Passbolt help with understanding the basics of how to learn cybersecurity in a practical way?
Also i have see this https://community.passbolt.com/t/how-can-i-change-the-password-i-use-to-login-in-passbolt/2720 still need to know.
Thank you in advance! 
1 Like
Hi halcyoncv,
This curiosity is so vital to understanding and managing technical systems!
I would start by pointing out that fundamentally Passbolt is ‘just’ a LAMP stack, so in many ways it’s built on exactly the same tools that have hosted most web applications for over 30 years.
If you can backup your database, web server files, Passbolt configuration files, OpenPGP keys, and stick them in a folder, then you’ve got your backups right there.
What is worth noting though is the use of the OpenPGP standard for cryptography as implemented in the https://gnupg.org software.
The Pro version of Passbolt has the feature to escrow all users private keys by encrypting them in individual message in the database that can only be unencrypted with an Organization Recovery Key which the admin could technically decrypt on an air-gapped computer so the ORK never touched the hosting Passbolt server. For the Community Edition your users must either keep the Account Recovery Kit that is offered upon account creation or download it from their profile while they still have access to a browser that is configured correctly. Or collect and store each users Private Key separately through some manual process.
This brings us to an interesting feature of Passbolt which is the Passbolt Browser Extension. The private key for a user is stored in local browser storage (which is why a new browser profile is needed for each Passbolt account so it’s a unique extension with only access to its own private key. This is very important to understand as without the Account Recovery Kit or a configured browser there is no way to decrypt that user’s secrets in Passbolt any more.
An example that’s been in the news recently is Apple’s Advanced Data Protection for iCloud which was recently disabled for the United Kingdom so data could be unencrypted by law enforcement requests.
So my recommendation would be for you to take a look at the difference in TLS, PGP, and SSH which will help you understand the cryptographic security models and different problems that are being solved using similar tools.
Public Key Cryptography is a beautiful thing.
I’m happy to answer more questions if you have them!
cheers
gareth