Tilig - Security

Reusing passwords is dangerous

One of the biggest problems on the internet is credential stuffing attacks. In these attacks criminals use passwords gained from websites that were previously breached to gain access to new websites. According to the Wikipedia list of data breaches over 2.7 billion identity records with 21 million unique passwords was offered for sale in 2019. This means that if you reuse passwords or manually create them you are likely to get hacked. The most practical way to prevent password reuse and to automatically create strong passwords is a password manager.

Needs to be easy to use and free

While using a password manager is a great way to keep yourself safe only 6.8% of people were able to provide the name of a secure password manager application and 59% use the same password everywhere. At Tilig it is our mission to make people more secure online and we think there are two things that need to change to get most people to use a password manager:

  1. The password manager needs to be easier to use than existing password managers.
  2. The password mangers needs to be free for private usage.

Read along to see how Tilig achieves both.

Easy to use

If you use a traditional password manager like 1password you are asked to:

  1. Create a master password
  2. Print out a physical recovery paper
  3. Store that paper in a vault

If you lose either your master password or the paper are at risk of losing all your passwords. We don't think that is easy to use. With Tilig there is no master password so it is much easier to use.

Server side encryption

There is no master password in Tilig because we only use server side encryption of passwords and don't do client side encryption. The advantage is that Tilig is much easier to use, you don't need manage a master password. The first potential downside is that if attackers breach Tilig and get our encryption keys they can get all your passwords. This is why we are trying to keep Tilig secure from attackers, similar to business password services that use server side encryption like Okta. The second potential downside if that criminals get access to your Google or Apple account they can access your passwords. We think that in most cases getting access to such a crucial account would allow an attacker to get access to your accounts anyway, for example by resetting passwords via Gmail.

Free

Because Tilig relies on your Google or Apple account we save significantly on our costs:

  1. We have a free first line of defence by very smart companies that have sophisticated ways to prevent account takeover, Google accounts are the most secure.
  2. If people lose access to their account they will contact Google or Apple and not use, reducing our support burden.

That is why Tilig is a free service without a monthly subscription fee. In the future we might charge for business accounts or introduce additional services like virtual credit cards or virtual phone numbers to make people more secure online.

Tilig Security Details

The following details are meant for giving an idea of our appreach to keeping your data secure, some of it might be out of date or inaccurate.

  1. Tilig runs on containers using Kubernetes using EKS on AWS.
  2. We run multiple containers.
  3. We store all the secrets encrypted using AES256 using EAX mode in a PostgreSQL database.
  4. We encrypt the user key via KMS. The key to encrypt the user key is stored in AWS HSM.
  5. All of our PostgreSQL databases are encrypted.
  6. Your data is encrypted and stored in our encrypted database.
  7. The user key is pbkdf2 derived with 100,000 iterations. The user key is generated using a cryptographically secure random number generator.
  8. In Kubernetes, our containers with database access run on encrypted networks.
  9. You’ll access your data over SSL via your browser which itself is standard encryption.
  10. Production AWS RDS has AWS standby nodes.
  11. We do not use any scripts for syncing databases. AWS does all the syncing itself. Therefore your secrets are not going to be stored in any logs.
  12. Our logs do not include any encrypted or decrypted secrets.

Security diagram of password read and write

Contact us

We want your feedback, send us an email with any and all feedback!