Single-Password Authentication

As requested, we rolled out Single-Factor Authentication (SPA). You still can enable Two-Password Authentication in the settings page or disable it if you have an account already.


Two-Password Authentication works in a way that we can only store a password which is hashed and salted, and your secret phrase is never transmitted even as a hash. We believe this approach provides the ultimate protection and eliminates even the slightest chance to recover or bruteforce your secret phrase.

Other services that use a single password approach hash your password and store it on the server, and if you did not use a strong enough password, it can be bruteforced and recovered by using rainbow tables even if its salted. It would just take a little more time.

We took time to think about how we can use Single-Factor but still offer you superior protection against bruteforcing in the event our server gets compromised or seized. We called it 'Fluid Hashing'.

We use a PKCS#5 function to derive a 512 bit key from your password, but we don't use a fixed number of rounds to do it. It all depends on the first letter in your password. If you are using non - English characters, it can be very high (even a few thousands). Fluid Hashing attacker would need to create more than 5000 rainbow tables to bruteforce even a simple password. Also, by providing a limited amount of guesses for the password, it makes the hacking task almost impossible.

The data encryption key is generated with 256 bytes salt and derived from 4096 rounds of PKCS#5.
The above technique can guarantee a very strong bruteforce resistant password and secure your communication with even a single password.

We still discourage the use of dictionary words as it is difficult to protect this approach from a successful attack due to the very limited number of combinations.