Secure Password Sync
Xmarks can securely sync your passwords across all your computers

Secure Password Sync is an optional feature that lets you keep your saved passwords in sync between your computers. Save your passwords at work and have them automatically available on your computer when you get home!

Our Password Sync feature is only available in Firefox 3.

How it works

Password Synchronization works silently in the background to make sure that your passwords are the same on all your computers. If you add, remove or update a password on one computer, Xmarks will make sure that your change will automatically be made on all your other computers as well. It works in a similar manner to bookmark synchronization with two major differences:

  1. Password Synchronization is completely optional and is turned off by default. Xmarks will ignore your passwords until you decide to synchronize them.
  2. Password Sycnhronization encrypts your passwords using a secret PIN of your choosing before they ever leave your computer. This ensures that nobody but you, not even Xmarks, can gain access to your passwords. You can learn more about encrption and security below.

The diagram below illustrates in greater detail how Password Synchronization works.

Diagram showing how Secure Password Sync works.
Encryption and Security

To encrypt your passwords, Xmarks uses the current state of the art AES 256-bit encryption algorithm. AES is a United States government standard and is recommended by National Security Adminstration (NSA) for encrypting classified information. See the AES Wikipedia entry for more details.

AES works by taking data that needs to be encrypted along with a secret PIN of your choosing, and then produces an encrypted result. It is strong enough to virtually guarantee that your encrypted data cannot be decrypted by a third-party, not even Xmarks. The biggest point of weakness is in the strength of the secret PIN that you choose. Xmarks recommends that you choose a PIN that is difficult to guess and contains a wide variety of different characters and numbers.

Frequently Asked Questions
Can I choose which passwords are synchronized to which computers? (Does it support Sync Profiles)?

Yes, password synchronization works with Sync Profiles. To select which passwords get assigned to which profiles, click on the "Sync Profiles" button on my.xmarks.com, and then select "Passwords" in the drop-down.

Where is my PIN stored?

Your PIN is stored on your computer in the same place where Firefox stores all your other passwords. Your PIN is never synchronized with your other computers and Xmarks will never cause it to leave your computer. Only you and your computer ever have knowledge of the PIN, Xmarks does not and so we cannot use it to access your passwords.

Why do I need to enter a PIN to setup Sync Profiles for my passwords? How is this secure?

To show you the websites for which you have saved passwords, we first need to decrypt your passwords using the same PIN that we used to encrypt them. This PIN will not be saved on disk or in memory and it will not be sent over the network. Decryption will be performed locally on this computer and will not be cached.

Additionally, only information about the website (domain and realm) and username will be presented here. Your actual passwords will not be made available for viewing, and they will not be stored on disk or in memory. All encrypted information relating to passwords will be flushed from memory when the Sync Profiles dialog window is closed.