Padloc is a secure, encrypted password management system.

Padloc, an open-source, end-to-end encrypted password management system, engaged Open Technology Fund’s Red Team Lab to carry out a penetration test for the platform. The cloud-based service was designed to be the first password management system that is truly usable and accessible for everyone, not just the technically experienced. Password managers are an essential tool to protect people’s privacy, security, and freedom online. While this is true for anyone using the internet, it is especially important for those who’s privacy or freedom are actively threatened by oppressive regimes and other bad actors.

To that end, Radically Open Security (ROS) carried out a penetration test for Padloc to assess the security of the system.

The penetration test for Padloc discovered no high or critical issues, and only several moderate to low-severity issues which have since been addressed. The results indicate that Padloc has implemented solid cryptographic primitives and hardened rendering libraries. The code appears well-written, with no major implementation issues found.

Architecturally, there are fundamental challenges Padloc still faces in order to achieve the design goals of a zero-trust and secure password storage. These challenges are inherent to the chosen technologies: as a web-based password manager, users have to trust the served code. Similar to other related projects, these are commonly accepted risks.

Security is a process which must be continuously evaluated and improved. Regular audits and ongoing improvements are essential in order to maintain control of information security. This audit contributed meaningfully towards that end.

Padloc – Penetration Test 2022