With heylogin, your passwords are stored securely and not somewhere in the world, but in Germany.We guarantee you secure and strong passwords and the best protection against hackers - that's why all our ISO 27001 certified servers are located in Germany. The heylogin productive environment is located in Nuremberg, the standby server in Falkenstein. Backups are stored separately in Frankfurt. All data centres used are ISO-27001 certified.The systems are monitored every minute by a monitoring system. There is always someone on standby to intervene in case of anomalies.heylogin GmbH attaches great importance to sustainability. Our hosting providers operate their data centres 100% with electricity from renewable sources.

We know how difficult it is to constantly think up new passwords. This includes annoying master passwords that are also insecure.heylogin automatically creates strong and secure passwords that no one has to remember and that can be shared with the team with just one click. There is guaranteed to be no master password. So from now on you don't have to remember anything and you are even more secure than before.Why is Swipe-to-Login more secure? Because when you use a password, you are prompted to confirm once on your smartphone instead of typing in a master password. This means the security chip on your phone is used, making the process 2-factor secure from the start. So heylogin's Swipe-to-Login is not only a user-friendly login process, but actually uses end-to-end encryption from the smartphone to the browser to make passwords available and you and your business more secure.

The confidentiality of the stored data is ensured with end-to-end encryption. XSalsa20 is used as the symmetrical algorithm. The integrity of the stored data is ensured by Poly1305 and thus protected against modification. Curve25519 is used as the asymmetric encryption.heylogin uses the security chip embedded in the smartphone hardware for cryptographic operations.

heylogin GmbH and the product heylogin comply with the legal requirements of the European General Data Protection Regulation (GDPR). At the same time, the use of heylogin can help your company to meet requirements of certifications such as ISO 27001 and TISAX.When using our software and the associated information, we always take care to collect as little data as possible (data minimisation) and to process all necessary data in accordance with the DSGVO.When selecting subcontracted processors, we make sure that data protection is our top priority. We only use providers from Europe who meet all regulatory requirements.

Legacy password managers require users to remember and regularly enter a Master Password. This Master Password is used to encrypt and decrypt all storedprivate information, such as usernames and passwords. A Master Password must be complex and kept private, as it is the single secret to all information. There are several problems associated with this cryptographic design:

• 1-factor Security: While many password managers allow the setup of another factor, such as TOTP, U2F or FIDO2/WebAuthn, this is not done by most users. Furthermore, this second factor is not used for end-to-end encryption, but only an additional authentication via the provider's infrastructure. Exceptions are password managers with native smartcards that implement actual encryption using OpenPGP, PIV or FIDO2 hmac-secret.
‍
• Offline Attacks: The Master Password, as a factor of knowledge, cannot be protected against brute force attacks as soon as they are performed offline. When a password vault is stolen or a data leak occurs at the large commercial password managers, the encrypted vaults can be attacked “offline”, i.e., there is no interactive protocol involved that rate-limits retries. A brute force attack or dictionary attack is only slowed down by the vault's Password-based Key Derivation Function (PBKDF). However, this never achieves the protection of a Hardware Security Module (HSM) since PBKDFs only slow down the brute forc attack, but can never limit the number of tries like a HSM could.
‍
• Usability: Studies show that not all users are able to generate and remember a sufficiently secure Master Password. In a study by Pearman et al [1], participants reused a different password as their Master Password or had it generated on a website. The participants involved had no technological training. So, especially for people who are not IT experts, using a password manager with a Master Password can actually reduce their security to a single point of failure.
‍
• Time Required: Depending on the implementation and the security policies used, the Master Password must be retyped regularly by the user in order to temporarily decrypt the vault. We assume about 3 hours / month / user, which are spent for the regular typing of the Master Password and the password management.

The use of a legacy password manager is thus mainly associated with annoyances that go beyond the normal conflict between security and userfriendliness. Existing solutions cannot easily change their security architecture because basic user flows and user expectations go hand in hand with the Master Password.