Stateless Gen 1.0
Stateless Gen 1.0
The original GoblinPass generator runs from local static files. It keeps the
generator, vault, settings, manifest, icons, style, and script inside
the /goblinpass folder.
Original generator and vault
Use the GoblinPass app directly inside this website page. The
standalone app still lives in /goblinpass for people who
want the mobile-friendly installable version.
The app does not save your master password or full generated passwords. Optional vault metadata is stored locally in the browser.
Open standalone appGoblinPass
Tiny vault. Minimal secrets.
The full Additional Secret is required every time. GoblinPass does not store it.
Recommended for banking, email, GitHub, PayPal, and crypto.
No registration is needed in GoblinPass. When you generate, authenticate with your physical YubiKey/security key. If the key does not return PRF data, GoblinPass will stop instead of making a normal password.
YubiKey mode changes the generated password only when WebAuthn returns a real PRF password ingredient.
Memorable passwords are easier to enter on consoles, TVs, handheld devices, and controllers. Maximum Security remains recommended for email, banking, and important accounts.
Vault
Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.
Create or enter your vault PIN to decrypt your local vault.
Settings
Vault
Keeps saved entries easier to reuse. Turn this off if you prefer to remember IDs yourself.
Security
Default on. Turning this off removes the master password from the password recipe.
Warning: without a master password, recovery depends on the remaining enabled factors. Only use this if you intentionally want Google Factor or other security methods to replace the master password.
More info
Recommended formats include G48372, DOG123, CAT456, or GP4837. Suggested format: 2 letters + 4 digits, for example GP4837.
The Additional Secret adds another private input to password generation. It may reduce risk from basic keyloggers, but it cannot protect against a fully compromised device, screen recording, or advanced malware.
Trusted Device Protection: Disabled
More info
Trusted Device Protection adds a hidden local key to password generation. Passwords created with it enabled need the same trusted key restored on another device.
If the Trusted Device Key is lost and no recovery key was saved, passwords generated with Trusted Device Protection cannot be recovered.
Privacy
Copies the generated password without showing it on screen.
Google Sign-In
Optional. Google Sign-In can identify the user for future encrypted vault sync/import/export convenience. It is not used for password generation unless Google Security Factor is enabled.
When enabled, GoblinPass requires Google Sign-In and uses the stable Google account subject ID as an extra password ingredient. It does not use your email address.
If you lose access to this Google account, you may not be able to regenerate the same passwords.
Google Sign-In: Not signed in
More info
Google Sign-In uses basic identity only. Do not add a Google client secret to this static site. The Google Subject ID is kept in memory for generation and is not saved in plain text.
Build Fork
Brand your own GoblinPass fork
Create a branded static GoblinPass package while keeping the password engine separate from your theme, logo, colours, and about text.
Generated configuration
Branding is saved in config.json and
themes/config.json. The password engine remains in
/core.