Zero-knowledge vault design
Passwords and encrypted note data are protected before storage. Private vault content is decrypted on the user's device, not inside HashThat's backend.
Optional secret key
Users can add a second master credential so protected keys depend on both the master password and the extra secret key.
Local recovery decryption
Recovery files are parsed and decrypted locally. HashThat support should never need, request, or handle a user's recovery file.
Vault protection
Private data is encrypted before it becomes stored data
The password manager and encrypted notes workflows are designed so sensitive content is protected before persistence. That includes saved fields, imported records, note content, metadata, and protected vault keys.
- Master passwords are not sent to the server in plain text.
- Password vault fields are encrypted field by field.
- Password imports are encrypted locally before upload.
- Generated passwords are created locally on the user's device.
- Password reveal can auto-hide secrets after a short countdown.
- History and audit screens help users understand sensitive changes.
Recovery without exposure
Recovery is separated from a simple password reset
HashThat keeps the difference clear: resetting account access is not the same as decrypting an older vault. Recovery files and locked-vault recovery are built to preserve privacy while giving users a practical way back.
Reset creates new access
A master password reset can restore account access going forward, but older encrypted vault data may remain locked to the previous credential.
Recovery file protects the original vault
The .htrecovery flow verifies the recovery request, parses the file locally, and reveals recovered credentials only after the user chooses to show them.
Locked-vault recovery joins data back up
If a user later remembers an older master password, HashThat can re-encrypt matching locked vault keys under the current credentials.
Account takeover protection
Security Pro protects the account around the vault
Zero-knowledge encryption protects private content. Security Pro adds controls around who can log in, which devices are trusted, and when sessions should be closed.
Two-factor authentication
Require a 6-digit authenticator code during login when 2FA is enabled.
Device verification
Allow account access only from approved devices and block unknown login attempts.
Login notifications
Send alerts for new logins and security-sensitive account activity.
Session management
Review active sessions and close access remotely from the account settings area.
Link controls are about access and measurement, not vault encryption
Short links are public URLs, so HashThat is explicit about the boundary. Use links for routing, QR codes, schedules, limits, and analytics. Use passwords or encrypted notes for private content.
- Password-protected short links.
- Validity windows can activate and expire links automatically.
- Total and unique click limits can restrict access.
- QR code download gives every link an offline sharing path.
- Analytics show clicks, referrers, geography, devices, browsers, UTM details, and recent events.
Operational trust
Built for real account and subscription workflows
Web, iOS, and Android
HashThat supports web accounts alongside native mobile subscription management through app-store billing flows.
Language-aware interface
English is the official language, with a broad set of beta translations available from the app language selector.
Pro gates are explicit
Upgrade banners and locked states make it clear when a workflow belongs to Passwords Pro, Links Pro, Notes Pro, or Security Pro.
Next step
Choose the protection that matches the risk
Start with the encrypted password vault, then add Security Pro when 2FA, recovery files, device verification, and session controls become important to the account.