Security and privacy

Trust starts with what HashThat cannot see

HashThat is built around zero-knowledge vault protection, local recovery workflows, and account controls that help users protect access across devices.

Zero-knowledge vault design

Passwords and encrypted note data are protected before storage. Private vault content is decrypted on the user's device, not inside HashThat's backend.

Optional secret key

Users can add a second master credential so protected keys depend on both the master password and the extra secret key.

Local recovery decryption

Recovery files are parsed and decrypted locally. HashThat support should never need, request, or handle a user's recovery file.

Vault protection

Private data is encrypted before it becomes stored data

The password manager and encrypted notes workflows are designed so sensitive content is protected before persistence. That includes saved fields, imported records, note content, metadata, and protected vault keys.

  • Master passwords are not sent to the server in plain text.
  • Password vault fields are encrypted field by field.
  • Password imports are encrypted locally before upload.
  • Generated passwords are created locally on the user's device.
  • Password reveal can auto-hide secrets after a short countdown.
  • History and audit screens help users understand sensitive changes.

Recovery without exposure

Recovery is separated from a simple password reset

HashThat keeps the difference clear: resetting account access is not the same as decrypting an older vault. Recovery files and locked-vault recovery are built to preserve privacy while giving users a practical way back.

1

Reset creates new access

A master password reset can restore account access going forward, but older encrypted vault data may remain locked to the previous credential.

2

Recovery file protects the original vault

The .htrecovery flow verifies the recovery request, parses the file locally, and reveals recovered credentials only after the user chooses to show them.

3

Locked-vault recovery joins data back up

If a user later remembers an older master password, HashThat can re-encrypt matching locked vault keys under the current credentials.

Account takeover protection

Security Pro protects the account around the vault

Zero-knowledge encryption protects private content. Security Pro adds controls around who can log in, which devices are trusted, and when sessions should be closed.

Two-factor authentication

Require a 6-digit authenticator code during login when 2FA is enabled.

Device verification

Allow account access only from approved devices and block unknown login attempts.

Login notifications

Send alerts for new logins and security-sensitive account activity.

Session management

Review active sessions and close access remotely from the account settings area.

Link controls are about access and measurement, not vault encryption

Short links are public URLs, so HashThat is explicit about the boundary. Use links for routing, QR codes, schedules, limits, and analytics. Use passwords or encrypted notes for private content.

  • Password-protected short links.
  • Validity windows can activate and expire links automatically.
  • Total and unique click limits can restrict access.
  • QR code download gives every link an offline sharing path.
  • Analytics show clicks, referrers, geography, devices, browsers, UTM details, and recent events.

Operational trust

Built for real account and subscription workflows

Web, iOS, and Android

HashThat supports web accounts alongside native mobile subscription management through app-store billing flows.

Language-aware interface

English is the official language, with a broad set of beta translations available from the app language selector.

Pro gates are explicit

Upgrade banners and locked states make it clear when a workflow belongs to Passwords Pro, Links Pro, Notes Pro, or Security Pro.

Next step

Choose the protection that matches the risk

Start with the encrypted password vault, then add Security Pro when 2FA, recovery files, device verification, and session controls become important to the account.