Why Neulock? Discover the Evolution of Password Managers

Over the years, we've seen repeated vulnerabilities exposed in even the most popular password managers. At Neulock, we don't just aim to be another password manager — we've reinvented the wheel, prioritizing your privacy and security at every step.

The Common Misstep of Traditional Password Managers

Let's unpack the regular paradigm: Most password managers encrypt user data, including passwords, in an encrypted "vault", and back it up on centralized servers. The idea is security through encryption. Sounds secure, right?

But encryption algorithms, as history has shown, can be broken or become obsolete over time. Moreover, servers are honeypots. When millions of secrets rest in one place, it becomes an enticing target for the adversaries, regardless of encryption.

Diagram showing how most password managers sync user data, including passwords, with their cloud servers.
Most password managers sync user data, including passwords, with their cloud servers.

Even worse, many password managers won't even follow through their own security models. Some may promise end-to-end encryption, but then they offer a convenience recovery mechanism in case you forgot your master key. This circumvents their own safety design and creates an opportunity for hackers.

Neulock's Pioneering Approach

We've engineered a novel approach. With Neulock, we don't store passwords. Instead, they're dynamically generated using your master key, on your own device, whenever needed. What's on our servers? Only non-sensitive metadata. This ensures that even in the unimaginable scenario where our servers are compromised, your secrets remain inviolate.

Diagram of Neulock syncing only non-sensitive metadata to its cloud server.
Neulock's Invisible Ink technology ensures that your secrets never leave your device.

Note: the metadata is non-sensitive from a security standpoint, since it contains no secret information. But it may be sensitive from a privacy standpoint, because it contains a list of services you use and your usernames. At Studio V, privacy is a core component of our mission. We always encrypt this metadata, both when it's being transferred and when it's stored, using the strongest settings of algorithms recommended by NIST.

Dive Deep into Our Security Model

Your master key is securely stored on your device. On Neulock for Android and for iOS, it is accessible only via biometrics. On Neulock Web, your master key is encrypted with a long (256 bits), random key that is stored only on Neulock's servers and retrieved only to memory upon sign-in; this encrypted master key is stored on your browser's local storage. On both cases, the Neulock client should resist to many attack vectors on your device, including a full-disk dump.

The master key, combined with account-specific metadata, is processed through Invisible Ink, our advanced, memory-hard, quantum-resistant hashing algorithm to dynamically generate passwords as and when needed.

Understanding Neulock's Security Foundations

Every security system, no matter how advanced, has its limits. At Studio V, we pride ourselves on transparency, so it's essential for our users to be aware of Neulock's two security foundations that guarantee your passwords remain private:

Device Compromise: If a hacker were to gain full control of your phone or computer, they could steal your passwords by logging your keystrokes as you type them or recording your screen as you paste them from a password manager.

Neulock leverages all of your device's security features to safeguard your secrets. The master key is kept in the device's most secure storage option, protected with your biometrics if available. But no password manager can protect against a device that has been fully compromised. This underlines the importance of securing your devices, especially by keeping the system up-to-date, and being cautious of any suspicious activities or communications.

Weak master key: Our servers store only non-sensitive metadata. In the unlikely scenario where there's a breach on our end, and a hacker has this metadata, it's still far from a half-finished puzzle. Since our servers have nothing that serves as an oracle to your master key, in order to crack it by brute-force, the attacker will also need to steal one of your actual passwords from another platform. Even if the hacker gets this far, our proprietary Argon2-based algorithm ensures a strong master key resists brute-force attacks for the foreseeable future.

If the same hacker also learns your master key, however, they can complete the puzzle and potentially access your dynamically generated passwords. This scenario underscores the necessity of using a unique and intricate master key only for Neulock, and not sharing or reusing it or variations of it across other platforms or services.

With other password managers, in case of a server breach, your passwords are at risk. Even if the password vaults are indeed protected by end-to-end encryption, the attacker can start trying to crack the stolen vaults immediately. There is strong evidence that high-value vaults have been cracked after a leak from another password manager's servers. And you, as a user, can do absolutely nothing to prevent server breaches: this responsibility lies entirely with the company that operates the password manager.

Neulock is designed to keep your passwords secure even in the unlikely event of a breach on our end. Because we don't store anything on our servers that's encrypted, hashed, or related to your master key, attackers can't use any information from us to aid a brute-force attack. The two security foundations outlined above are completely within your control. If you uphold these principles, Neulock will safeguard your passwords, ensuring you don't need to place blind trust in our servers.

Neulock vs Traditional Password Managers: Security Comparison

Attack ScenarioNeulockTraditional Password Managers
End-User Device CompromiseAt Risk (All password managers are vulnerable if device security is fully compromised)
Server Breach (weak master key; attacker already knows some user passwords)At Risk (Attacker could use known passwords as oracle to brute-force a very weak master key)At Risk (Passwords easily compromised by brute-force)
Server Breach (weak master key; attacker knows no user passwords)Safe (Even with weak master key, there's no oracle to tell if brute-force succeeded)At Risk (Passwords easily compromised by brute-force)
Server Breach (strong master key)Safe (No passwords stored)At Risk (Passwords potentially compromised, depends on encryption effectiveness)
Encryption Algorithm ObsolescenceSafe (Passwords not stored, thus not affected)At Risk (Stored passwords may become vulnerable)
Master Key Recovery Mechanism ExploitedSafe (No recovery mechanism that compromises security)At Risk (Recovery mechanisms can be a weak point)
Quantum Computing AdvancesSafe (Utilizes quantum-resistant algorithms)At Risk (May not be equipped with quantum-resistant measures)

Invisible Ink: Our password generating algorithm

Neulock calculates passwords using Invisible Ink, our proprietary algorithm that takes two inputs: the non-sensitive metadata about your account and your master key. The resulting password is random-like, so that it cannot be guessed.

The tech-savvy among you must be saying: but rolling your own crypto is a terrible idea! We completely agree, that's why we didn't. The crypto primitive at the core of Invisible Ink is the state-of-the-art, award-winning Argon2. We have set it up to be extremely memory-hard, CPU-intensive and even future-proof.

Argon2 is the gold standard in password hashing and key derivation. It brings together the best features to resist various forms of cyberattacks. Notably, its memory-hardness ensures that the hash computation requires a significant amount of memory, posing challenges to attackers attempting to use advanced parallel architectures for brute force attacks. This quality, combined with configurable parameters, allows us to keep pace with advancing hardware technologies and ensure the hash remains computationally demanding.

Quantum computing often raises concerns in the realm of cybersecurity, but Invisible Ink with Argon2 stands strong. While quantum computers can speed up computations, Argon2's memory-hard attribute remains a formidable challenge for them. Invisible Ink bolsters quantum resistance by adjusting computational parameters to Argon2 and using very large hash outputs.

Additionally, Argon2 incorporates a technique called salting, enhancing protection against large-scale attacks. By adding a very large random value (or 'salt') to the non-sensitive metadata, Invisible Ink ensures that all generated passwords are statistically unique — even if you happen to use the same master key as someone else. This thwarts attackers from leveraging precomputed tables and optimizes security for our users.

Rest assured, with Invisible Ink at the core of Neulock, your data is safeguarded by cutting-edge cryptographic protection.

Why Tech-Savvy Individuals Are Turning to Neulock

Don't Let Your Passwords Be Your Weak Link!

Discover the power of Neulock's Invisible Ink technology for unbeatable password security.

Get Started with Neulock