The full Additional Secret is required every time. GoblinPass does not store it.
Recommended for banking, email, GitHub, PayPal, and crypto.
YubiKey hardware protectionStatus: Not registered
When generating, choose the same YubiKey credential you originally used. Set up a key only when adding a genuinely new credential.
YubiKey mode changes the generated password only when WebAuthn returns a real PRF password ingredient.
Memorable passwords are easier to enter on consoles, TVs, handheld devices, and controllers. Maximum Security remains recommended for email, banking, and important accounts.
Offline transfer QRScan with another phone to copy the generated password.
Only display this when nobody else can see your screen. The QR code contains the generated password.
Vault
Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.
Create or enter your vault PIN to decrypt your local vault.
Settings
Vault
Keeps saved entries easier to reuse. Turn this off if you prefer to remember IDs yourself.
Security
Default on. Turning this off removes the master password from the password recipe.
Warning: without a master password, recovery depends on the remaining enabled factors. Only use this if you intentionally want Google Factor or other security methods to replace the master password.
Device unlock: Not set up
Uses Windows Hello, Face ID, fingerprint, or your device PIN. Only an encrypted copy is kept in this browser.
More info
Recommended formats include G48372, DOG123, CAT456, or GP4837. Suggested format: 2 letters + 4 digits, for example GP4837.
The Additional Secret adds another private input to password generation. It may reduce risk from basic keyloggers, but it cannot protect against a fully compromised device, screen recording, or advanced malware.
Trusted Device Protection: Disabled
More info
Trusted Device Protection adds a hidden local key to password generation. Passwords created with it enabled need the same trusted key restored on another device.
If the Trusted Device Key is lost and no recovery key was saved, passwords generated with Trusted Device Protection cannot be recovered.
Privacy
Copies the generated password without showing it on screen.
After generation, GoblinPass shows a password QR code and saves the entry to the encrypted vault. Use this for an offline phone that transfers passwords by scan.
Google Sign-In
Optional. Google Sign-In can identify the user for future encrypted vault sync/import/export convenience. It is not used for password generation unless Google Security Factor is enabled.
When enabled, GoblinPass requires Google Sign-In and uses the stable Google account subject ID as an extra password ingredient. It does not use your email address.
If you lose access to this Google account, you may not be able to regenerate the same passwords.
Google Sign-In: Not signed in
More info
Google Sign-In uses basic identity only. Do not add a Google client secret to this static site. The Google Subject ID is kept in memory for generation and is not saved in plain text.
Use GoblinPass 1.0 Offline
Download a self-contained copy of GoblinPass 1.0 for a phone or offline device. The download includes the app styling and script in one HTML file.