Increasing security with Password Depot

Efficient management of authentication data

The number of required credentials (passwords, user IDs, PINs) is continuously increasing. In day-to-day use, sticky notes, spreadsheets, or browser storage are common, but they are error-prone and encourage password reuse. Authorities such as the BSI and the UK's NCSC therefore recommend using a password manager: it generates strong passwords, warns against weak or compromised credentials, and makes clear assignment easier. Source: BSI, Source: NCSC

Practical tip

Use a separate, strong password for each service and enable – wherever possible – multi-factor authentication (MFA).

Maximum security for storage & access

Password Depot stores passwords and other confidential information (e.g. license keys, identity and payment data) in encrypted form. It uses AES-256 – a method standardized by FIPS 197; the NSA includes AES-256 in the current CNSA 2.0 suite. FIPS 197, NSA CNSA 2.0

The master password is the key to your database. It is not stored in plaintext; instead, a cryptographic derived value is used during login. Modern guidelines call, among other things, for memory-hard password hashing methods and salt as well as rate limiting on the verifier side. NIST SP 800-63B-4

Important

Complexity rules (mandatory special characters, etc.) are considered counterproductive. Recommended are long Passphrases and checking against blocklists (common/compromised passwords). Password changes should only be made if compromise is suspected—not on a fixed schedule. NIST SP 800–63B–4, NCSC: Three random words

Generate strong passwords – truly random, thoroughly checked

Password Depot uses cryptographically secure random values to generate strong passwords. Entropy may be derived, among other things, from unpredictable user interactions (e.g. mouse movements) and system sources to properly initialize the random number generator. In addition, the generator checks quality (including dictionary and leak list matching) to prevent weak or already known passwords—in line with current guidelines for screening against compromised values. NIST SP 800–63B–4

Recommendation

Use automatically generated passwords with substantial length (e.g. ≥ 20 characters) or—where usability is critical—long passphrases (e.g. three to four random words). NCSC background

Final data deletion – what really applies today

Password Depot provides methods for securely removing confidential files, including the widely cited DoD 5220.22–M overwriting method (multiple passes). Historically significant—but: for modern media (especially SSDs), the authoritative reference today is NIST SP 800–88 Rev.1. It distinguishes between Clear, Purge (e.g. Cryptographic Erase, ATA Secure Erase) and Destroy and addresses device-specific procedures. NIST SP 800–88 Rev.1

In practice, this means: HDDs can be securely sanitized in many scenarios through documented overwriting (Clear/Purge); for SSDs Sanitize/Secure Erase or Cryptographic Erase are the preferred methods. NIST explicitly lists these options (including TCG/ATA commands). Details in NIST SP 800–88 Rev.1

In plain terms

DoD 5220.22‑M is more of a historical reference; in the US regulatory framework, the NISPOM policy (DoD 5220.22‑M) has since been replaced by 32 CFR Part 117 (NISPOM Rule). Today, NIST 800–88 is the benchmark for data erasure practices. DCSA on the NISPOM Rule, NIST SP 800–88 Rev.1

Secure storage & data sovereignty with Password Depot

Password Depot gives organizations maximum flexibility: With Password Depot Client and Password Depot Enterprise Server let you decide where your data is stored – for example, entirely On‑Premises (no transfer to third countries) or with an EU hosting provider of your choice.

Legal context (EU↔US data flows): In 2020, the CJEU invalidated the Privacy Shield (Schrems II), making additional safeguards necessary for transfers to third countries ever since. In 2023, the European Commission adopted the new EU‑US Data Privacy Framework (DPF), which was upheld by the EU court in 2025 – providing a degree of legal certainty, although legal debate continues. Choosing storage locations with sovereignty in mind (e.g. On‑Prem or EU hosting) reduces dependencies. EuGH C‑311/18, EU‑Durchführungsbeschluss 2023/1795, Confirmation 2025

Final considerations

Security is not a one‑time project, but an ongoing process. Password Depot helps you generate credentials that are strong, store them securely, securely, use them in a controlled manner, and – when necessary – in a controlled manner and – when necessary – permanently to delete. Combined with clear policies (MFA, passphrases, regular review of compromised passwords, NIST-compliant deletion processes), you can achieve a robust, practical level of protection.

Ready to implement immediately

• Choose a long master passphrase (e.g. ≥ 15 characters or three to four random words).
• Use a password generator; do not reuse passwords; enable MFA.
• Allow “paste” in login fields & use password manager autofill (policy adjustment).
• For deletion, use and document NIST 800-88-compliant procedures for each storage medium (HDD/SSD).
• Define the storage location strategically (on-premises/EU hosting) – minimize data flows.