Password Manager Built for Schools
Military-grade encryption. Zero-knowledge architecture. Designed for schools and faith-based organizations of every tradition.
Everything Your School Needs
Autofill Everywhere
Login credentials automatically fill on any website. Your staff clicks the TSNC shield icon, selects their account, and they're in. No more sticky notes on monitors.
Argon2id + AES-256-GCM
The strongest password-based encryption stack available in 2026. Argon2id key derivation (RFC 9106 β memory-hard, GPU-resistant) wraps a per-user vault key encrypted with AES-256-GCM. Your passwords are encrypted on your device before they ever reach our servers.
Shared Collections
Create password groups for departments β 'Front Office,' 'IT Systems,' 'Diocesan Portals.' Share securely with staff who need access. Revoke instantly when they leave.
Breach Alerts
Every password is checked against Have I Been Pwned's database of 14+ billion breached credentials. If a password appears in a breach, your staff is warned immediately.
Admin Dashboard
School administrators see password health across all staff β who has weak passwords, who's reusing credentials, who hasn't set up their vault yet. No passwords are ever visible.
Account Recovery
When a staff member leaves, administrators can recover their saved credentials through a formal approval process. No passwords are lost during transitions.
External Sharing (Approved)
Need to share credentials with a vendor or diocese office? External shares require administrator approval and are fully logged. Complete audit trail.
MFA Required
Multi-factor authentication is mandatory for vault access. Even if someone steals a password, they can't access the vault without the second factor.
Easy Import
Switch from Google Passwords, Apple Keychain, Bitwarden, LastPass, 1Password, Firefox, or Dashlane in minutes. Upload your CSV export and we'll do the rest β then remind you to delete the file.
Why You Can Trust Us
We donβt just claim to be secure β we prove it with industry-leading encryption, transparent architecture, and measurable security standards.
Continuously scanned for vulnerabilities
Our infrastructure is monitored 24/7 by Intruder, an automated vulnerability scanning service. New CVEs and emerging threats are checked against our public-facing systems continuously, with high-severity findings triaged within 24 hours.
π Our Encryption vs. The Industry
| Feature | ThouShaltNotClick | Bitwarden | 1Password | LastPass |
|---|---|---|---|---|
| Cipher | AES-256-GCM | AES-256-CBC | AES-256-GCM | AES-256-CBC |
| Key Derivation | Argon2id β | PBKDF2 (Argon2 opt-in) | PBKDF2 + Secret Key | PBKDF2-SHA256 |
| Memory-Hard KDF (default) | β Yes | β Opt-in only | β No | β No |
| Envelope Integrity (HMAC) | β Yes | β | β | β |
| Zero-Knowledge | β Yes | β Yes | β Yes | β Yes |
| Client-Side Encryption | β Yes | β Yes | β Yes | β Yes |
| Breach Monitoring | β Real-time | β Vault reports | β Watchtower | β οΈ Premium only |
| Built-in Phishing Protection | β 6-source AI | β No | β No | β No |
| School/Diocese Focus | β Purpose-built | β Generic | β Generic | β Generic |
| Business Price/User/Month | $1 | $4 | $7.99 | $7 |
| Major Breach History | β None | β None | β None | β 2015, 2022 |
Argon2id Key Derivation
The modern standard recommended by OWASP, NIST, and the IETF (RFC 9106). Memory-hard by design β a brute-force attacker cannot speed up cracking with GPUs or custom ASIC hardware the way they can with PBKDF2.
AES-256-GCM: Government Grade
AES-256 is approved by the U.S. National Security Agency for TOP SECRET information. The GCM mode (Galois/Counter Mode) provides both encryption AND authentication in a single pass β more secure than the CBC mode used by Bitwarden and LastPass.
Envelope Integrity (HMAC-SHA256)
The wrapped vault key, salt, and KDF parameters are protected by an HMAC signature derived from your master password. If anyone tampers with your envelope on the server, the unlock fails β the server can't forge the signature without your password.
Zero-Knowledge Architecture
Your passwords are encrypted on your device before they reach our servers. We store only ciphertext β mathematically indistinguishable from random noise. Even if our servers were compromised, your passwords remain unreadable.
Database Segregation
Vault data lives in a dedicated, separate database from the rest of your account information. A SQL injection bug in our main code can't reach vault data; a leaked credential for one database doesn't compromise the other.
6-Source Threat Intelligence
Every email you receive is scanned against PhishDestroy (770K+ threats), Google Safe Browsing, URLhaus, IPQS, EmailRep, and WHOIS domain age checks. No other password manager includes built-in phishing detection.
Full Audit Trail
Every vault access, password share, collection change, and admin action is logged with timestamps, IP addresses, and user identifiers. Schools can provide complete compliance records for FERPA, CIPA, and diocesan audits.
MFA + Device Trust
Vault access requires multi-factor authentication. Trusted devices are validated by both browser fingerprint AND network address β a new device or new network always triggers MFA verification.
π The Math Behind Your Security
AES-256 has 2Β²β΅βΆ possible keys β thatβs 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 combinations. If every computer on Earth tried a billion keys per second, it would take longer than the age of the universe to try them all.
Our Argon2id derivation requires the attacker to allocate 46 MiB of RAM per guess. This is the key insight that makes memory-hard KDFs different from PBKDF2: a brute-force rig that can run a billion PBKDF2 guesses per second can only run a few thousand Argon2id guesses per second on the same hardware budget, because each guess needs its own memory bandwidth. Custom ASICs and GPUs lose most of their advantage.
Combined with a strong master password (12+ characters), your vault would take centuries to crack even with nation-state-level computing resources.
Ready to Secure Your School?
Add the ThouShaltNotClick Password Manager to your Organization plan for just $1/staff/month.
That's 75% less than Bitwarden Business and 87% less than 1Password β with stronger encryption and built-in phishing protection.
Start Protecting Your School β