Your Password is Never Stored
Password & Key Derivation
When you create your account, your password is never saved โ not even in encrypted form. Instead, it is used to derive a unique encryption key for your data. This means that even if our entire database were stolen, your password could not be recovered from it. When you log in, the same process derives your key again to decrypt your data.
Nerd Info
Your password is processed using Argon2id โ the winner of the Password Hashing Competition (PHC) and the current OWASP recommendation. Argon2id is a memory-hard function, meaning it requires a significant amount of RAM to compute. This makes brute-force attacks on GPUs or ASICs extremely expensive. The derived key (KEK โ Key Encryption Key) is used to encrypt your personal DEK (Data Encryption Key), which in turn encrypts all your sensitive data. Your password itself is never persisted.
Secure Login & Session Protection
Authentication & Sessions
Login is protected against automated attacks. Every form submission is validated to ensure it originated from within the application, preventing third-party websites from silently submitting forms on your behalf. After a successful login, your session is established securely and tied to your browser.
Nerd Info
All state-changing requests are protected by CSRF tokens (synchronizer token pattern). Session cookies are set with HttpOnly, Secure and SameSite=Strict flags, preventing JavaScript access and cross-site submission. Session IDs are regenerated on login to prevent session fixation attacks. Sessions are stored server-side; the client only holds an opaque session token.
What is AES?
Encryption Standard
AES โ the Advanced Encryption Standard โ is the world's most widely used symmetric encryption algorithm. It is used by banks, hospitals, governments and militaries worldwide to protect sensitive data. Think of it like an extremely complex combination lock: with the right key, the data opens instantly. Without it, cracking it would take longer than the age of the universe โ even with all the computing power on Earth combined.
Nerd Info
AES is a symmetric block cipher standardised by NIST in 2001 (FIPS 197). It operates on 128-bit blocks and supports key sizes of 128, 192 and 256 bits. MyGuns uses AES in GCM (Galois/Counter Mode), which provides both confidentiality and authenticity โ any tampering with the ciphertext is detectable. Each encryption operation uses a random 96-bit IV (Initialisation Vector) to ensure identical plaintexts produce different ciphertexts.
AES-128, AES-192 and AES-256
Encryption Levels
All three variants of AES are considered secure for practical purposes. The difference lies in the key length and the number of processing rounds applied to your data. A longer key means more combinations an attacker would need to try, and more rounds means more transformations โ making the cipher more resistant to cryptanalytic attacks. Even AES-128 would take billions of years to brute-force with current or foreseeable technology.
| Level |
Key Length |
Rounds |
Security |
Available on |
| AES-128-GCM |
128 bit |
10 |
Very High |
Free & up |
| AES-192-GCM |
192 bit |
12 |
Extremely High |
Plus & up |
| AES-256-GCM โญ |
256 bit |
14 |
Military-grade |
Pro |
Nerd Info
AES-128 uses 10 rounds of substitution-permutation, AES-192 uses 12 and AES-256 uses 14. The theoretical brute-force complexity is 2^128, 2^192 and 2^256 operations respectively. For reference: 2^128 โ 3.4 ร 10^38 โ far beyond any computational capacity conceivable with classical computers. AES-256 additionally provides a larger security margin against potential future advances in cryptanalysis, and is required by NSA Suite B for TOP SECRET classification.
GCM โ Encryption with Built-in Integrity Check
Authenticated Encryption
MyGuns does not just encrypt your data โ it also verifies that nobody has tampered with it. If any bit of your stored data were modified by an attacker, the decryption would fail immediately and the application would reject the data. This protection is built into every single field we store.
Nerd Info
GCM (Galois/Counter Mode) combines AES counter-mode encryption with a GHASH authentication tag (128-bit MAC). This makes it an AEAD (Authenticated Encryption with Associated Data) scheme. The authentication tag is computed over both the ciphertext and optional associated data (e.g. a field identifier). Any modification to either โ even a single bit flip โ produces a tag mismatch, making tampering detectable. This means MyGuns fields are protected against both passive eavesdropping and active ciphertext manipulation.
SSL/TLS โ Encrypted in Transit
Transport Security
Every byte transmitted between your browser and our servers is encrypted. This means that even if someone were monitoring your network connection โ on a public Wi-Fi for example โ they would only see unintelligible data. The padlock icon in your browser's address bar confirms this protection is active.
Nerd Info
The connection is secured using TLS 1.2 or TLS 1.3 (Transport Layer Security). TLS uses asymmetric cryptography (RSA or ECDSA) for the initial handshake and key exchange, then switches to symmetric AES for the actual data transfer. TLS 1.3 additionally provides forward secrecy via ephemeral Diffie-Hellman (ECDHE), meaning that even if the server's private key were later compromised, past sessions could not be decrypted.
Session Sharing & Companion Access
Multi-user Encryption
When you invite a companion to a shooting session, they can record their own shots and see shared session information โ but they never gain access to your personal gun inventory, ammunition data or private notes. Each user's personal data remains protected by their own key. Shared session data is accessible to all participants through a separate session-level key.
Nerd Info
Each shooting session has its own AES session key generated at creation time. When a companion joins, the session key is encrypted with their personal DEK (Data Encryption Key) and stored as a separate record โ meaning each participant holds their own encrypted copy of the session key. Gun thumbnails visible during a shared session are re-encrypted with the session key so all participants can display them, without ever exposing the owner's personal DEK or the original image. This is conceptually similar to envelope encryption used in cloud KMS systems.
Recovery Key
Emergency Access
If you forget your password, your recovery key is the only way to regain access to your data. It is generated once when you set it up and should be stored in a safe place โ like a password manager or printed and locked away. Without it, and without your password, your data cannot be recovered. Not by you, and not by us.
Nerd Info
The recovery key is a cryptographically random token that, like your password, can be used to derive your KEK (Key Encryption Key) and thus decrypt your DEK. It is stored as a separate encrypted version of your DEK, protected by an Argon2id-derived key from the recovery token. This means the recovery key provides the same mathematical access as your password โ but it is a separate secret, so compromising one does not compromise the other.