When it comes to using a password manager, convenience is essential for most people—even more so than security.
They want a utility that fills in passwords automatically, with a minimum of fuss.
If you're one of the few who values security over convenience, WWPass PassHub may be just the tool for you.
Built from the ground up with a focus on data security and zero knowledge, this tool takes a little more work on your part than most, but for the right user it can be a very good choice.
PassHub itself is a cloud-based web application, with no local installation required.
That means you can use it on Windows, macOS, Linux, Android, iOS, or any platform that supports a modern browser.
It does require one Android or iOS device to serve as the authentication passkey, which shouldn't be a problem for most people.
Getting Started With PassHub
Just about every password manager requires you to memorize a strong master password.
Not PassHub.
Its authentication centers on the PassKey, another product from WWPass.
Technically a PassKey can be an app, a smart card, or a USB device, but PassHub specifically relies on the mobile app.
This isn't precisely two-factor authentication, as your phone alone serves to authenticat you.
However, it's vastly better than single-factor authentication that relies strictly on a master password.
To start, go to the app store for your mobile device and install the WWPass PassKey app.
Tap to create your PassKey, and enter an alphanumeric PIN.
The app requires this PIN for certain sensitive activities, like creating a PassKey backup, but it's not a master password.
Setup finishes in seconds.
Assuming you want to use PassHub on the same mobile device, start by tapping the button that opens it in your browser.
You'll see a QR code, but don't worry—you don't have to figure out how to make your device take a picture of itself.
Just tap the code to create and open your PassHub account.
PassHub organizes data into what it calls safes, and comes preconfigured with a Personal Safe, a Work Safe, and an Example Safe.
That last one naturally contains some example entries.
To use PassHub on another device, you first navigate to passhub.net in the browser of your choice.
After you snap the resulting QR code with the PassKey app to authenticate, your account automatically opens in the browser.
If you're familiar with Myki Password Manager & Authenticator, you'll see similarities with PassHub.
I certainly did.
Myki requires a smartphone for setup, like PassHub.
It connects with desktop instances by snapping a QR code.
And it has a strong security focus.
However, there are some significant differences.
With Myki, your passwords reside on the smartphone, not in the cloud.
It operates as a browser extension on the desktop, where PassHub needs no extension.
And it handles common password manager tasks like automated password capture and replay, filling personal data in web forms, and reporting on weak and duplicate passwords, all things PassHub doesn't do.
Myki even functions as a replacement for Google Authenticator.
Manual Labor
Getting started is easy; getting your passwords into PassHub is not.
It's not a browser extension, so it doesn't have the power to capture credentials as you log in to secure sites.
Rather, you must create each login manually, entering (or copy/pasting) the username, password, and URL.
Yes, you can import data from another password manager, for a head start.
However, PassHub only offers dedicated support for importing from KeePass.
If you're moving from any other product, you'll have to export the data to a .CSV file.
I tried importing a stripped-down set of data exported from Keeper Password Manager & Digital Vault(Get 40% Off Keeper Unlimited and Keeper Family! at Keeper Security).
However, PassHub complained that it had the wrong number of "fileds" (meaning fields).
To get my data into the right format, I created a test login, exported it, and matched the layout of my data to the resulting file.
With that step complete, the import succeeded.
As you might have guessed, PassHub also doesn't automate the process of filling your saved credentials into secure sites.
It does offer handy buttons to copy username and password to the clipboard, though.
Like PassHub, KeePass, F-Secure Key, and Intuitive Password don't capture logins, but all three of them fully or partially automate password replay.
With PassHub, you can also store simple secure notes that sync across all your devices.
You might save things like a padlock combination, or your passport number.
You can also store and sync files, up to a maximum of 200MB.
Like Authentic8 Silo, another security-first product, PassHub doesn't store personal data for filling web forms.
My company contact pointed out that malefactors have found ways to steal form-fill data using hidden text boxes and, in any case, form-filling would require a browser extension.
A few other competitors eschew form filling, among them 1U, KeePass, and Zoho Vault.
Organizing Passwords
As noted, a new PassHub installation comes with three containers called safes.
One is for personal data, one for work, and one pre-loaded with a few examples.
As you'll see below, when you securely share data with another user, you share an entire safe, not individual items, so keeping things organized is important.
Within each safe, you can create any number of folders and subfolders to organize your logins.
With LastPass, Password Boss, Sticky Password Premium, and a few others, folders and subfolders become submenus attached to the browser extension's toolbar button.
PassHub doesn't require a browser extension, and hence doesn't have such a menu.
It's smart to organize as you go, putting new logins into the right folder upon creation.
If you need to rearrange things later, it's just a bit tedious.
You can't drag and drop; rather, you must cut the item and paste it into its new location.
Password Generator
As always, getting your passwords safely stashed in the password manager is just half the task.
You also need to replace any weak ones, or ones that you've used for more than one site.
PassHub doesn't check the strength of your passwords, and it certainly doesn't offer an actionable strength report such as you get with LastPass, LogMeOnce Password Management Suite Premium, Dashlane, and a few others.
You just have to work your way down the list and check each one.
When you're creating or editing a login entry, PassHub does offer a random password generator to help out.
By default, it creates passwords using digits plus uppercase and lowercase letters; be sure to check the box that requires it to use special characters, too.
Password length is important.
Adding a few characters can push the time to brute-force crack a password from days to centuries.
Alas, PassHub generates 10-character passwords by default, which I consider too short.
You don't need to go for its maximum of 64 characters, but please crank it up to 16 or even 20 characters.
After all, you don't have to remember the generated password.
By the same token, don't opt to create memorable passwords.
Using this gives you all-letter pronounceable passwords like nalabiweratur, but you're better off with a random mix of all character sets.
PassHub isn't the only product that defaults to too-short generated passwords.
Password Genie also defaults to 10 characters, and Trend Micro to just eight.
At the other end of the scale, Myki and Enpass Password Manager both create passwords of 30+ characters by default.
Secure Sharing
You shouldn't share your passwords with just anybody, but at times you really need to share access to one or more accounts.
With PassHub, you can share any safe with others, and control the level of access for each user.
Start by creating a safe for sharing, and then cut and paste the desired logins into that safe.
Click the three-dot menu icon for the safe and choose Share.
If this is your first time sharing the safe, PassHub prompts you to name the share.
Then click to generate a sharing code, which resembles a credit card number, with four sets of four digits.
Securely transmit that code to the recipient and wait for a response.
Note that the code expires after 48 hours.
The recipient must open PassHub, click the Accept Invitation link, and paste in the code.
Now the ball is back in your court.
You'll see a notification icon on the shared safe, and on the Users item in its menu.
Click Users, click to approve the new user and set an access level.
At the Read Only level, the user can view and use the shared items, and that includes seeing the password.
Some products, among them Dashlane, LastPass, and RoboForm, can let the recipient use the login without being able to see the password.
Cranking a user's access up to Editor enables editing of items in the safe.
At the Admin level, the recipient can add and remove other users, or modify their access.
Note that the items in the shared safe are literally shared, not simply copied.
Changes affect all users.
LastPass, LogMeOnce, Password Boss, and a few others take sharing to another level, providing a system that lets you bequeath your passwords to an heir but keep them secret while you're alive.
PassHub doesn't do this, at least not at present.
Zero Knowledge
The designers at WWPass don't want to see your passwords.
They don't even want to know who you are.
And since creating an account doesn't require an email address, they really do have zero knowledge.
This approach isn't simple.
Take sharing, for example.
The shared safe needs to be encrypted with your private key for your account, and with a different private key for each other user account.
One way to accomplish that would be to decrypt your data and re-encrypt it with the new key, but that's not acceptable, as the data would be unprotected during the process.
My company contact explained in detail how the system uses public and private keys to make the connection without exposing your data.
Rather than go into that level of detail, I'll offer an analogy.
Say your data is stored in a blue cloth bag, and you want to get it into a green bag without anybody seeing it.
You put the blue bag inside the green bag, shake out the data, and pull the blue bag out.
Simple!
Having access to your passwords controlled by a single mobile device could be a problem if that device gets lost or (worse) stolen, so the PassKey app includes the ability to back up your cryptographic details.
This backup itself could be a weak link, security-wise, but not the way WWPass does it.
Briefly, it divides the encrypted data into a dozen pieces and stores them on physically distant servers, with recovery requiring any six of the pieces.
The process of recovering to a new instance of the PassKey app automatically disables the instance on the lost or stolen device.
There's more, much more.
If you're interested, check out the product's security page, or download the whitepaper available on that page.
A Good Choice for the Right User
If you barely tolerate your password manager, if you just want it to take care of logins and stay out of your way, WWPass PassHub probably isn't for you.
But if you're willing to sacrifice a little convenience for a lot of security, it may be just the thing.
Pretty much every password manager company promises that they can't decrypt your data without that master password.
With PassHub, WWPass doesn't even know who you are.
For most users, though, convenience is king, and PassHub would be too much work.
LastPass is much easier to use, and offers two-factor authentication, secure sharing, and password inheritance.
Myki Password Manager & Authenticator offers the security of local-only password storage without sacrificing convenience.
These two are our Editors' Choice free password managers.
