Why we can't reset your passphrase — and why that protects you
Every vault company promises privacy. Ours is enforced by mathematics, and it comes with one trade-off we'd rather explain than hide.
If you forget your Netflix password, you click "forgot password" and a reset email arrives. It feels like a kindness. It's also a confession: if a company can reset your password, that company can read your data.
ShareMyVault cannot reset your vault passphrase. Not because we built the feature and turned it off — because the code path doesn't exist. Here's why we made that choice, and what it means for you.
The reset button is a backdoor with good manners
When a service can restore your access, it means your encryption keys (or your unencrypted data) live somewhere the service controls. A support agent can reach them. A subpoena can reach them. An attacker who breaches the right server can reach them.
For family photos on a social network, that trade-off might be fine. For the keys to your bank accounts, your will, and the instructions your family will need on their worst day — we don't think it is.
What happens instead
When you create a vault, your passphrase is stretched into an encryption key on your own device using Argon2id, a deliberately slow, memory-hard algorithm designed to make guessing expensive. That key wraps a master key, which protects everything in your vault.
The passphrase never travels to us. The derived key never travels to us. What our servers store is ciphertext — scrambled bytes we have no means to unscramble.
Your safety net: 24 words
Because we can't rescue you, we make sure you can rescue yourself. At signup you receive a 24-word recovery phrase — a second, independent key to your vault. Write it down. Keep it with your passport or in the drawer where your family keeps important things.
If you forget your passphrase, those 24 words unlock your vault and let you set a new one. That's recovery without a backdoor.
The honest fine print
If you lose both your passphrase and your recovery phrase, your data is gone. Not "call support" gone — mathematically gone. We say this on our homepage, at signup, and here, because a privacy promise that hides its costs isn't a promise. It's marketing.
We chose the version of this product that can't betray you. The price is a sheet of paper you need to keep safe. We think that's the right trade.