Guide 1.0

How to use Stateless Gen 1.0

Use the same inputs every time you want to recreate the same password. Change an input only when you intentionally want a different password.

Generator
GoblinTiny vault. Minimal secrets.
Generate & copySave
Vault
VaultLock vault

Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.

22

Site: facebook.com

Login: myem***il@hotmail.com

Password hint: ******

UseShow hint
Settings
SettingsLocal
Enable Additional Secret
Copy Password Only

1. Pick a Website ID

Choose an ID for the site, such as 22 for Facebook or 104 for a shopping account. If you use the vault, you can save the ID locally or choose to remember it yourself.

2. Enter your Master Password

Type a master password only you know. GoblinPass uses it during generation, but it does not save the master password.

3. Choose options

Pick length, counter, character groups, and password style. Example: length 16, counter 1, with lowercase, uppercase, numbers, and symbols enabled.

4. Generate and copy

Press Generate & copy. The same Website ID, Master Password, counter, and enabled optional factors will regenerate the same password later.

YubiKey PRF guide

Set up YubiKey password generation

YubiKey mode is for high-value accounts such as email, banking, GitHub, PayPal, and crypto. It requires Windows 11 and a YubiKey that supports PRF/hmac-secret. GoblinPass does not use the YubiKey as ordinary login-only 2FA; the PRF result becomes part of the generated password.

Before you start

Use Windows 11 with a current Chromium-based browser and a YubiKey that supports PRF/hmac-secret. If PRF data is not returned, GoblinPass stops instead of generating a normal fallback password.

What changes

With YubiKey enabled, the password recipe becomes Website ID, Master Password, optional Additional Secret, and YubiKey PRF. Without the same YubiKey PRF result, the same password cannot be regenerated.

1. Enter the website details
GoblinYubiKey PRF enabled
2. Tick Use YubiKey
YubiKey hardware protectionReady
YK
Use YubiKey Recommended for banking, email, GitHub, PayPal, and crypto.

No registration is needed in GoblinPass. When you generate, authenticate with your physical YubiKey/security key.

Generate & copySave
3. Follow Windows 11 prompts
Windows Security

Making sure it's you

Please sign in to goblinpassuk.github.io.

USB
Touch your security key.

If Windows asks for your security key PIN, enter the PIN for the YubiKey, then touch the key when prompted.

4. Confirm PRF was used
YubiKey statusSuccess
YubiKey authenticated and returned a real PRF password ingredient.
Generated and copied: C0V********2#1n Show

If PRF fails, GoblinPass will show a warning and will not generate the YubiKey-protected password.

Windows 11 step-by-step

  1. Open GoblinPass on Windows 11.
  2. Enter the Website ID, optional site/login labels, and your Master Password.
  3. Tick Use YubiKey.
  4. Click Generate & copy.
  5. Follow the Windows Security prompts. Choose your physical YubiKey if Windows offers multiple options.
  6. Enter the YubiKey PIN if asked, then touch the YubiKey.
  7. Use the Copy button if the automatic clipboard copy is blocked after authentication.

Mobile NFC notes

  1. Tick Use YubiKey and press Generate & copy.
  2. Hold the YubiKey next to the phone's NFC area.
  3. A browser message may say no passkeys are available. Keep the YubiKey near the phone.
  4. If an NFC reading error appears, keep holding the YubiKey and choose More options.
  5. The physical YubiKey may then be detected and used for generation.

Mobile YubiKey PRF support is more inconsistent than Windows 11. If the browser or phone does not return PRF data, GoblinPass will stop rather than generate a fallback password.

Generator

The main GoblinPass generator

The Generator tab is where the password is recreated. The most important inputs are the Website ID and Master Password. Optional fields can help you label an entry or save local metadata in the vault.

Main generator example
GoblinTiny vault. Minimal secrets.
Store full login for this entry
✓ a-z✓ A-Z✓ 0-9✓ %!@
Generate & copySave
Generated and copied: 1%GzTU4Meq!BBwQeHide

Website ID

Example: 22. This is the site number you choose and reuse for that account. The same ID is needed to regenerate the same password later.

Site and login

Example: facebook.com and myemail@hotmail.com. These can help identify the entry locally, especially if you use alias emails.

Master Password

This is the private secret only you know. GoblinPass uses it during generation and does not save it in the vault.

Length and counter

Length controls the output size. Counter lets you move to a new password for the same site without changing the Website ID.

Tool preview

How the GoblinPass vault can work

These example screens show the basic flow: generate a site-specific password, set a local vault PIN, save an entry, and reveal only the first part of the password as a hint when needed.

1. GoblinPass tool screen
Goblin Tiny vault. Minimal secrets.
Store full login for this entry
✓ a-z ✓ A-Z ✓ 0-9 ✓ %!@
Generate & copySave
Generated and copied: 1%GzTU4Meq!BBwQeHide
2. Step-by-step vault setup
VaultCancel

Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.

Create a permanent 4 digit vault PIN. This PIN will be required to view saved IDs.

Vault PINSet PIN
3. Example saved entry
VaultLock vault

Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.

22

Site: facebook.com

Login: myem***il@hotmail.com

Password hint: ******

Length: 16 - Counter: 1

UseShow hintCopy loginDelete
4. Hint reveals only the first part
VaultLock vault

Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.

22

Site: facebook.com

Login: myem***il@hotmail.com

Password hint: jFX5@

Length: 16 - Counter: 1

UseShow hintCopy loginDelete

Optional full login details

GoblinPass can include an option to save full login information for an entry. That can expose the email address used for the account, so it is best treated as a deliberate choice rather than a default habit.

Useful with alias emails

If you use alias emails, saving the login locally can help you keep track of which alias belongs to which website. This can be useful when the information stays local and is protected carefully.

Settings tab

How the settings tab works

Settings let you choose optional behaviour once, then keep using the generator without ticking the same boxes every time. Preferences are saved locally in the browser, but private secrets such as the master password and Additional Secret are not saved.

1. Additional Secret settings
SettingsGenerator

Additional Secret

Enable Additional Secret

The Additional Secret adds an extra secret to generation. It is required in full when enabled and is not stored by GoblinPass.

2. Trusted Device Protection
SettingsEnabled

Trusted Device Protection

Enable Trusted Device Protection
Show Recovery KeyRestore Trusted Device

If the Trusted Device Key is lost and no recovery key was saved, matching passwords cannot be recovered.

3. Password style and vault behaviour
SettingsLocal
Save Website IDs in vault

Maximum Security remains the default. Memorable passwords can be easier to type on TVs, consoles, and handheld devices.

4. Google and display options
SettingsOptional
Copy Password Only
Google Security Factor
Set up Google Sign-InSign out

Google is not required. If Google Security Factor is enabled, the same Google account is needed to regenerate matching passwords.

Password tips

Better habits make the system stronger

Use unique passwords

Every important website should have a unique password. Reusing one password across many sites turns one breach into many possible account takeovers.

Protect your email account

Your main Gmail, Hotmail, Outlook, or private email account should be treated like a master key because it can reset many other accounts.

Avoid tiny variations

Changing Password1 to Password1! is not enough. Attackers often try common variations after a leaked password appears.

Use aliases carefully

Email aliases can reduce exposure and make leaks easier to isolate, but they do not stop phishing. Still check suspicious emails and links.