SPHINX password storage

SPHINX ( S tore that P erfectly H ides from I tself (N o X aggeration)) is a simple and elegant next-generation password storage system that fundamentally reimagines how passwords should be protected.

Unlike traditional password managers that store encrypted databases full of your passwords, SPHINX stores only a random number unrelated to your actual passwords. This means the server never sees or stores your actual passwords, making it mathematically impossible for anyone (including the server operator) to discover them, even with unlimited computing power.

SPHINX is free software, completely zero-trust, offline-brute-force resistant, and can be accessed from anywhere with an internet connection. The system stores absolutely no private data and is easily extensible for advanced users.

SPHINX "stores"¹ only your passwords, and nothing (except for some rules about password length, character classes and maybe encrypted usernames) but your passwords. No bloat, very limited attack surface, very strong security guarantees.

Legacy password managers are all the same – they encrypt your password database with a symmetric cipher and a key derived from your master password. This concept is from the 90s and we learned a lot since then and we can do much better. SPHINX has stronger security guarantees and robustness. Why would you protect your keys to your kingdom with anything less than the best there is? Use SPHINX for modern 21st century password security.

SPHINX isn't limited to passwords. It can generate:

• Time-based One-Time Password (TOTP) tokens for Two-Factor Authentication (2FA)
• Age encryption keys for file encryption
• SSH keys for secure remote access
• WebAuthn keys for passwordless authentication
• Custom binary keys for other cryptographic applications

See the Alternate Converters section in the documentation for examples.

You can access your passwords from anywhere and any device (as long as it can run the CLI client) in the world over the internet. No syncing is required, making your passwords instantly available on any device. Yes, this means if you're offline, you will not have access to your passwords if you use an online SPHINX server – but you could run your own server also on a local single-board computer or dedicated hardware.

With SPHINX, you never have to trust the server operator. Even if they:

• Are malicious and try to steal your passwords
• Get compromised by attackers
• Are forced by governments to hand over data
• Have poor security practices

…they still cannot learn your passwords because the system is designed so that this information is never available to them, even in principle.

There is this joke, that you could have your SPHINX server hosted by the NSA (and the Chinese, and the Russians – in a threshold setup) and they wouldn't be able to learn anything about your passwords. You certainly wouldn't do that with your legacy password managers! Of course, this only applies as long as the organization hosting your SPHINX server is not also actively compromising servers you are logging into, or at least seeing the plaintext login attempts at them. But that is a very strong attacker model, which only applies to state-level adversaries. In a threshold setup where multiple servers must collude to learn anything, this is even less of a joke – unless the NSA/Chinese/Russians all collaborate and hack your accounts.

Active nation-state malicious hosters aside, it's not fully zero trust. You do need to trust the SPHINX server to not want to Denial of Service (DoS) their users intentionally, to keep your records always available and to have good backups. If you run your own SPHINX server, you can of course do that yourself. But if you use a third-party server, you have to trust the operator to do that. This is a much less significant trust concern if you run a threshold setup, as the loss of a few hosters or records at hosters is not critical as long as a threshold number of SPHINX servers is still available.

Traditional password managers rely on computational security, which means they're secure as long as certain mathematical problems remain hard to solve. But SPHINX uses information-theoretic security (aka unconditional security), which means:

• Even with unlimited computing power, quantum computers, perfect algorithms, or a hive mind, both your input and output passwords are protected and cannot be learned by anyone by looking at your communication with the SPHINX server
• This is the same type of security used by one-time pads, which are provably unbreakable
• No future advances in computing or cryptography can compromise your passwords. This goes well beyond the "industry best practice" military grade AES encryption and the usual Password-Based Key Derivation Function 2 (PBKDF2)

The biggest threat to password managers is database theft. When attackers steal encrypted password databases, they can:

• Use specialized hardware (GPUs, FPGAs, ASICs) to try billions of password combinations per second
• Take unlimited time to crack your master password
• Gain access to all your passwords if successful

Legacy password managers can claim they do hundreds of thousands of PBKDF2 iterations (which are quite GPU-friendly) or even Argon2, but attackers (and servers hosting your database) can still brute-force your passwords offline if they steal your database. Not only will they learn all your passwords – when they succeed – that are encrypted, but also your master password.

SPHINX eliminates this entire attack vector. There's no database to steal, and every password guess requires communicating with the server over the network, making mass automated attacks impossible.

We use something we call a masterkey (think of it as an account token) which we use to identify your records and to authenticate any management operations on them. If you don't have this account token, you have no chance of even accidentally addressing any record.

SPHINX servers store only:

• Random numbers (meaningless without your master password)
• Optional password generation rules (length, character types)
• Optionally, encrypted usernames (if you enable the userlist feature)

They never store:

• Your passwords (input or output)
• Your master password
• Any identifying information about you, as you are not required to register or provide any personal information to use SPHINX
• Any way to link different passwords to the same user, unless you enable the optional userlist feature, which allows querying all usernames for a site. This data is encrypted and only reveals usernames, not passwords. A SPHINX server can correlate all the records that belong to the same user on the same server. If you don't want this, you can disable this in the configuration, but you will sacrifice some user experience.

You can even use SPHINX over Tor for complete anonymity.

SPHINX is completely open source. It is available in NixOS, Debian, and derivatives.

You can host your own server for complete control, or use public servers with confidence knowing they can't access your passwords due to the unconditional information-theoretic security property of SPHINX. We have a public server available at https://sphinx.ctrlc.hu, which is free to use. See the server installation guide for more details on how to set up your own server.

SPHINX code is open source and available on GitHub:

• Reference implementation: https://github.com/stef/pwdsphinx
• Production server in Zig: https://github.com/stef/zphinx-zerver/
• Android: There's a native Android app with fullv2 support. You could also write a client for Apple devices!
• Browser extensions for Firefox and Chrome-based browsers. Note that the usual reduction in security affecting all browser extensions applies here.

The reference implementation and production server have a very good command-line interface and very smooth extensible X11 integration.

SPHINX is in NixOS and in Debian and its derivatives.

If you are on a system like MacOS or Windows and want more than a CLI, you can build a client for yourself and others, to join the SPHINX community.

If you use a service that allows you to register multiple passwords, one regular and additional emergency passwords – like distress, alarm or self-destruct passwords – SPHINX has you covered. By choosing your input password you can select which output password will be generated. An attacker who has no control over the system that consumes the password, will not be able to distinguish which password triggers what emergency procedure. More services should support emergency passwords, I know…

SPHINX is essentially an Oblivious Pseudo-Random Function (OPRF). An OPRF is a two-party protocol where a client and a server work together to generate a value that looks random but is always the same for a given password. This process ensures that the client gets the result it needs without ever revealing the password to the server. See RFC 9497: Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups.

The original academic paper, SPHINX: A Password Store that Perfectly Hides Passwords from Itself, is written by Maliheh Shirvanian, Stanislaw Jarecki, Hugo Krawczyk, and Nitesh Saxena. In 2018, Hugo Krawczyk has been honored with The Levchin Prize for Real-World Cryptography and his creations like HMAC, HKDF, OPAQUE, HMQV, SIGMA, UMAC are used daily by billions of people.

We have a whitepaper documenting how we extended the original SPHINX paper mentioned above to make it work in a real world setup.

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

Further eternal gratitude to all the people who helped with this: hugo, dnet, d3v, rolf, asciimoo, jonathan, michiel, fabs, stefan and all those that I will be ashamed by later by forgetting to mention them here…