Questions, answered

Novash is a password manager: an encrypted vault for logins and related secrets, with apps for iOS and Android. You unlock the vault with a master password and—where your device supports it—biometrics.

Product packaging can change. Check the Download page and in-app billing for what is included in your region. Our security architecture does not depend on “paying for encryption”—it depends on math and careful engineering.

Browsers optimize for convenience. Novash optimizes for vault isolation, strong generation, and consistent behavior across apps and sites—especially when you switch devices or share access deliberately.

Novash is designed as a zero-knowledge system: your vault is encrypted on your devices, and what syncs is ciphertext. We do not run the service in a way that requires access to your plaintext vault for normal operation.

The product uses modern, widely reviewed building blocks—including AES-256-GCM for protecting vault data and Argon2id for key derivation—aligned with current industry guidance. Exact parameters can evolve with releases; keep apps updated.

No service can promise “impossible.” In a well-designed password manager, a server-side incident should not trivially become a vault-wide plaintext leak, because keys to decrypt everyday use should remain with your devices and your master password.

We do not monetize your vault contents. Read the Privacy Policy for what account metadata may exist for billing, support, and abuse prevention.

If you find a vulnerability, contact us privately with impact and reproduction steps. Public zero-day posts harm users; coordinated disclosure helps everyone.

Your devices synchronize encrypted vault data through the service. The goal is simple: each device you trust can obtain ciphertext and decrypt locally after authentication.

You should expect cached vault access on a device that has already unlocked—network outages should not brick you immediately. Exact offline behavior depends on platform and version.

Operational backups may exist for reliability and disaster recovery, but they should still be ciphertext under your keys—not a readable archive for support to browse.

In a true zero-knowledge design, the master password is not something we can reset like an email password. If you lose it and you do not have working recovery materials, you may lose access to the vault. That is harsh—and intentional.

Email providers can re-issue access because they control the inbox. A password manager should not be able to silently mint keys to your vault without your participation, or the product is not zero-knowledge in practice.

Accounts need identifiers for sign-in, billing, and abuse prevention. Your email is not a substitute for your vault keys.

Novash ships for iOS and Android. Use the Download page for install sources and version notes.

Yes—that is the point. Add only devices you control, and review active sessions periodically.

Revoke sessions where possible, rotate critical credentials for high-value accounts, and ensure your master password is not written down somewhere accessible on that device.

The honest answer: compare cryptography, threat model, audit posture, and client quality. Novash is built to compete on fundamentals—clear security claims, modern primitives, and UX that respects real life—without pretending “marketing equals safety.”

Open source helps verification, but it is not a substitute for discipline: threat modeling, secure defaults, and operational maturity still matter. We focus on claims we can defend and ship.