How SafeKey Keeps
Your Passwords Safe
Why breaches happen, why they can’t happen here, and what makes SafeKey different
A Security Paper for Business Owners
Written in plain English — no technical background required
Introduction
Barely a week goes by without another headline about a company being hacked and its customers’ data being stolen. It’s understandable that business owners might wonder: if these big companies can’t keep their data safe, how can I trust anyone with my passwords?
It’s a fair question, and it deserves an honest answer.
This paper explains, in plain English, how most online breaches actually happen, why those breaches are possible in the first place, and most importantly, why the way SafeKey is built means that the same kinds of attacks simply cannot succeed against your password vault.
We’re not going to hide behind technical jargon. If you’re trusting us with the keys to your business, you deserve to understand exactly how we keep them safe.
How Online Breaches Actually Happen
When you hear that a company has been “hacked,” it can sound mysterious and complicated. In reality, most breaches happen in one of two fairly straightforward ways:
1. Someone’s Login Details Are Stolen or Leaked
This is the most common way breaches occur. A bad actor gets hold of a username and password that gives them access to a system. Once they’re in, they can see everything that user — or in some cases, every user — can see.
This can happen in several ways:
- If an employee falls for a phishing email — a fake email designed to trick them into typing their login details into a website that looks legitimate but isn’t.
- When an employee uses the same password everywhere, if one service is breached, the attacker tries that password on other services and gains access.
- An employee’s password is simply too easy to guess — things like “company123” or “Password1” can be cracked in seconds by automated tools.
- The service provider’s own staff have access — in many online services, the company’s support team needs to be able to see your data in order to help you. That same access can be exploited if one of their staff is compromised.
2. The Service Itself Has a Security Flaw
Sometimes the problem isn’t a stolen password — it’s a weakness in the software itself. A flaw in the service’s architecture allows an attacker to gain access through a back door, bypassing the normal login process entirely.
Once inside, the attacker can often copy large amounts of data and take it away to examine at their leisure. This is how some of the largest breaches in history have occurred — millions of customer records stolen in a single attack.
The Underlying Problem: Centralised Access
Here’s the critical thing that both of these attack methods have in common: they succeed because most online services store everyone’s data in one big, central database. Once someone gets in — whether through a stolen password or a software flaw — they have access to everything. Every customer’s data, all in one place, all accessible at once.
Think of it this way…
Imagine an apartment building where every unit uses the same master key. If someone gets hold of that key, or finds a way to pick the lock on the front door, they can walk into every apartment in the building. That’s how most online services work. One way in, and everything is exposed.
This is the fundamental problem with most online services. It’s not that they don’t try to be secure, many of them invest heavily in security. It’s that the architecture itself, the way the system is built — means that a single point of failure can expose everything.
How SafeKey Is Built Differently
SafeKey was designed from the ground up to eliminate the vulnerabilities that make these breaches possible. We didn’t take a standard approach and then add security on top. We built security into the very foundation of how the service works.
There are four key things that set SafeKey apart:
1. Zero Trust: Nobody Is Automatically Trusted
SafeKey operates on what’s known as a “zero trust” approach. In simple terms, this means we never assume someone is who they say they are just because they’re inside the system.
In the old days of office security, once someone walked through the front door, they were trusted. They could go anywhere and access anything. Zero trust flips that on its head. Every person, every device, and every login has to prove who they are, every single time.
At SafeKey, this means:
- Every login is verified. When you or a team member logs into SafeKey from a new or unrecognised device, a second verification step is required. This means even if someone somehow obtained your password, they still can’t get in without also having access to your phone or authentication device.
- Access is limited to what each person needs. Each team member can only see the passwords they’ve been given access to. There is no “master view” that shows everything to everyone.
- Nothing is assumed. Even after you’re logged in, SafeKey continues to verify that you are who you say you are. If something looks unusual, access is challenged again.
Think of it this way…
Zero trust is like having a security guard at every single door inside a building, not just at the front entrance. Even if someone manages to get through the front door, they still can’t get into any room without proving they belong there.
2. Individual Encryption: Even We Can’t See Your Passwords
This is the single most important security feature of SafeKey, and it’s worth taking a moment to understand it clearly.
When your password vault is created, it is encrypted using your master password. Encryption is like putting your passwords inside a locked safe — without the key, the contents are completely unreadable. Just a scrambled mess of random characters that means nothing to anyone.
Here’s the crucial part: SafeKey does not have your master password. We don’t store it. We don’t know it. We have no way to find it out. Your master password exists only in your head.
This means that even if someone broke into SafeKey’s systems and stole every piece of data we hold, they would end up with nothing but encrypted vaults — locked safes with no keys. The data would be completely useless to them.
It also means that we, as your provider, cannot see your passwords. Even if we wanted to — which we don’t — it would be technically impossible. Our own staff cannot open your vault. Our own systems cannot read what’s inside it. This is by design.
Why does this matter?
Many online services require the ability to see your data in order to provide support. That means their staff have access, which means a bad actor who compromises a staff member’s account can see your data too. SafeKey has deliberately removed this possibility. We support you without ever needing to see your passwords.
Think of it this way…
Imagine you rent a safety deposit box at a bank. The bank provides the box and the room it’s kept in, but only you have the key. The bank staff can’t open your box. A bank robber who broke into the vault room would find rows of locked boxes they can’t open. That’s how SafeKey works. We provide the vault, but only you hold the key.
3. Separate Vaults: Your Business Gets Its Own Private Safe
This is where SafeKey takes a fundamentally different approach to most other password managers.
Most password management services operate on a shared system. All of their customers’ data sits within a single platform, a single database, a single environment. It’s like a bank where everyone’s money goes into one big pool. The service keeps track of who owns what, but underneath, it’s all mixed together.
SafeKey doesn’t work that way. Every customer gets their own completely separate vault, running on its own separate instance. Your data doesn’t sit alongside anyone else’s. It’s isolated — physically and logically separate from every other customer’s data.
Why does this matter? Because one of the most common causes of data breaches is simple human error. A configuration mistake, an accidental exposure, a software update that goes wrong. In a shared system, a mistake affecting one customer can potentially expose every customer. In SafeKey’s separated architecture, a problem in one vault cannot affect any other vault.
Think of it this way…
Most password managers are like a block of flats with shared walls, shared plumbing, and a shared front door. If there’s a flood in one flat, the water gets into the others. SafeKey is like a row of completely separate houses. Each one has its own walls, its own locks, and its own foundations. What happens in one house stays in that house.
4. Second-Factor Verification: A Stolen Password Isn’t Enough
Even in the unlikely event that someone discovered your master password, they still couldn’t access your vault from a new device. SafeKey requires a second form of verification — typically a code sent to your phone or generated by an authentication app — before allowing access from any device that hasn’t been used before.
This means an attacker would need to have both your master password and your physical phone or device at the same time. The chances of that happening are extremely small, and it’s a level of protection that goes well beyond what most online services offer.
How SafeKey Compares to Other Services
Here’s a plain comparison of how most online services and password managers handle security, versus how SafeKey works:
| Most Online Services | SafeKey |
Data storage | All customers in one shared database | Every customer in a separate, private vault |
Provider access | Staff can view your data for support purposes | Nobody at SafeKey can see your passwords, ever |
If breached | All customer data exposed at once | Only encrypted, unreadable data, useless without your key |
Human error risk | One mistake can affect all customers | Mistakes are contained to a single vault |
Login security | Username and password only (sometimes with 2FA) | Zero trust + mandatory second-factor on new devices |
Encryption | Data often encrypted in transit, not always at rest | Every vault individually encrypted with the customer’s own key |
Who holds the key? | The service provider | You, and only you |
What Would Happen If Someone Attacked SafeKey?
Let’s walk through the most common attack scenarios and explain exactly what would happen with SafeKey:
Scenario: A hacker steals login credentials from a SafeKey staff member
Even if a bad actor obtained the login credentials of a SafeKey staff member, they would not gain access to your passwords. SafeKey staff do not have the ability to view, decrypt, or access customer vaults. There are no “admin keys” that unlock customer data. The encrypted vault can only be opened with your master password, which we do not hold.
Result: Your passwords remain completely safe.
Scenario: A hacker breaks into SafeKey’s systems and copies vault data
Even in this extreme scenario, the attacker would end up with encrypted files that are completely unreadable. Each vault is encrypted with its owner’s master password, which is not stored anywhere on our systems. The attacker would have the equivalent of a pile of locked safes with no keys. Without your master password, the data is meaningless.
Result: Your passwords remain completely safe.
Scenario: A hacker obtains a customer’s master password
If an attacker somehow obtained your master password — for example, by watching you type it — they would still need to pass the second-factor verification on a new device. Without access to your phone or authentication device, the master password alone is not enough to get in.
Result: Your passwords remain protected by the second layer of security.
Scenario: A software error accidentally exposes data between customers
Because every SafeKey customer operates on a completely separate instance, a software error affecting one customer’s vault cannot leak data into another customer’s vault. There is no shared database where data could get mixed up. And even if vault data were somehow exposed, it would still be encrypted and unreadable without the customer’s master password.
Result: Your passwords remain completely isolated and encrypted.
Being Honest About the Trade-offs
We believe in being completely transparent with our customers. SafeKey’s security model provides outstanding protection, but that level of security does come with two trade-offs that you should be aware of:
1. We Cannot Recover a Lost Master Password
Because your master password is used to encrypt your vault, and because we do not store it anywhere, we genuinely cannot recover it if you forget it. This is not a limitation we can work around — it’s a fundamental part of what makes SafeKey secure. If we could recover your master password, so could a hacker.
If a master password is lost, the vault would need to be deleted and recreated. The passwords stored inside it would be gone.
How to protect yourself
We recommend writing your master password down and storing it in a physically secure location, such as a locked safe or a sealed envelope in a secure drawer at home. This is one of the few situations where writing a password down is actually the safest approach. Keep it separate from your devices, and tell a trusted person where to find it in an emergency.
Some businesses also choose to keep a sealed copy with their solicitor or accountant, alongside other critical business documents.
2. Some Setup Features Are Less Automated
Because every user’s vault is individually encrypted, certain setup and management tasks that would be simple in a less secure system are more involved with SafeKey. For example, some administrative actions require the user themselves to be logged in, because our team cannot access their vault to make changes on their behalf.
We know this can occasionally feel less convenient than services where the provider can simply reach in and configure things for you. But that convenience comes at a cost — it means the provider can see your data. We’ve deliberately chosen security over convenience, and we believe our customers are better off for it.
Our Commitment to You
SafeKey is an ongoing development. We are constantly working to improve the service, add features, and make the experience smoother for our customers. But there is one thing that will never change:
We will not compromise our security standards.
Our standards are high, and we intend to keep them that way. Your passwords are the keys to your business, and we treat them with the seriousness they deserve.
In Summary
Most online breaches happen because services store everyone’s data in one place and because the service provider has the ability to access that data. SafeKey eliminates both of these weaknesses:
Your vault is encrypted with your own key, not even SafeKey can open it.
Your vault runs on its own separate instance, completely isolated from every other customer.
Every login requires verification, a stolen password alone is not enough to get in.
We operate on a zero trust model, nobody is automatically trusted, ever.
Your data stays in New Zealand, governed by New Zealand law, with no foreign jurisdiction.
When you store your passwords with SafeKey, you’re not just trusting a promise. You’re trusting an architecture that makes a breach, for all practical purposes, useless to an attacker. That’s the difference.
Your Passwords Deserve Better Than a Promise
SafeKey protects your business with architecture, not just intentions.
www.safekey.co.nz • 100% NZ owned & hosted • $36 per user/year