Password manager

Store, share, and recover your school's shared accounts — Google Workspace, PowerSchool, social media, vendor logins. End-to-end encrypted, audit-logged, and built for graceful staff transitions.

The Password Vault — Your school's shared logins, encrypted in your browser before they reach our servers

The two-vault model

Every TSNC user actually has two vaults, not one:

Primary vault — your work passwords. Tied to your school. Wrapped with both your master password AND your org's escrow recovery key (so if you leave, your principal can recover the school accounts).
Personal vault — your personal passwords (banks, family accounts). NOT escrow-wrapped. NOT recoverable by your school. Yours alone.

You see them as a single list with a category indicator, but they're cryptographically separate. When you leave the school, you take your personal vault with you.

✝️

The recovery covenant

We promise: if your org admin recovers your vault, you'll be notified by email AND in-app — every time, automatically, with no way for the admin to suppress it. You'll see who did it, when, and what reason they gave. This isn't a feature we can turn off in the settings. It's how we earn the right to be a password manager you trust.

Setting up your master password

1
Pick a passphrase, not a password
Six random words is stronger than any 8-character password with symbols. "correct horse battery staple lake bridge" is great. Don't use anything that means something to you.
2
Write down recovery codes
You'll get 8 single-use recovery codes when you set up MFA. Print them. Keep them somewhere physical and secure (locked drawer, fireproof safe). If you lose your master password AND your authenticator, these are how you get back in.
3
Test the unlock flow
Lock the vault and unlock it again to make sure your password is what you think it is. Now is the time to find out you typo'd.

Sharing passwords

Schools don't have one Google account — they have many shared logins. Use Collections.

1
Create a Collection
e.g., "Front Office" or "Admin Staff". Collections hold a set of related passwords.
2
Add passwords to the Collection
Either move existing entries in or create new ones directly.
3
Invite members
By email. They get a notification. Until they accept and have a vault of their own, the share is pending.
4
Members access shared passwords
Through their vault, marked with a Collection badge. They can't edit unless you grant edit access.

⚠️

Cross-org sharing requires explicit approval

If a member is at a different org than you, the share request goes to BOTH orgs' admins for approval before any access is granted. This prevents shadow IT — one teacher accidentally sharing the school's vendor login with their cousin's school.

Vault recovery (when someone leaves)

The most important password manager feature is the one you hopefully never use.

How it works

When you (an org admin) set up escrow recovery, you generate an RSA-4096 keypair in your browser. The public key goes to TSNC; the private key downloads as a .pem file that only you have. We never see it.

From that point on, every new vault entry in your org is double-wrapped: with the user's master password AND your org's public key. If a teacher leaves and we need to recover their passwords, you load the .pem file in your browser, and decryption happens client-side.

The two-step approval

Recovery requires:

A documented reason (10+ characters of justification)
A reason category (departure, account stuck, security investigation, etc.)
For platform/enterprise admins: a co-approval from the target org's admin
Your org's private .pem file loaded in your browser

Recovery is logged forever. The user being recovered gets a non-suppressible email saying what happened, when, by whom, and why.

Vault wipe (the destructive one)

⚠️

Wipe is irreversible — it destroys ciphertext

When you wipe a vault, the encrypted blobs are gone. We can't restore them from backups because we don't have the keys to decrypt them — only the user does. Use recovery first when possible.

Wipe is reserved for the case where you want a fresh start: a teacher who's coming back from a long leave, or a vault that's gotten so cluttered nobody uses it anymore. Platform admins and enterprise admins cannot trigger wipes — only an admin AT the target user's own school can.

FAQ

What if I lose my master password?+

If you have your recovery codes, you can use one to reset the master password without losing your vault. If you don't have recovery codes either, you can ask another org admin to do escrow recovery on your vault. As a last resort, the wipe option starts you over with a fresh empty vault.

Can TSNC see my passwords?+

No. Encryption happens in your browser before anything reaches our servers. We see opaque ciphertext. The Argon2id key derivation runs client-side. The vault key envelope is HMAC'd by your master password so we can't even tamper with the wrap. None of this is "trust us" — you can verify in the source code.

Is MFA required for the vault?+

By default, yes — and it gates per-session, not just per-login. After 30 minutes of inactivity, the vault re-prompts for your TOTP code. The org admin can adjust the timeout, or disable it entirely (we recommend against it).

What's the browser extension's role?+

The extension reads/writes your vault, autofills passwords on sites, warns about breached passwords (via HIBP), and shows safety badges in Gmail. It uses the same end-to-end encryption — the vault key is derived in the extension's WASM Argon2id, never sent.

How do I migrate when I leave the school?+

Your school admin will offer you the migration option as part of your departure. You get a 90-day window to copy your personal vault entries to a new personal account, with a 50% discount the first 30 days and 25% off the next 60. Your work entries stay with the org; only what you choose comes with you.

← Previous

Phishing campaigns

Activity log & undo