1. Pick a Website ID
Choose an ID for the site, such as 22 for Facebook or 104 for a shopping account. If you use the vault, you can save the ID locally or choose to remember it yourself.
Guide 1.0
Use the same inputs every time you want to recreate the same password. Change an input only when you intentionally want a different password.
Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.
Site: facebook.com
Login: myem***il@hotmail.com
Password hint: ******
Choose an ID for the site, such as 22 for Facebook or 104 for a shopping account. If you use the vault, you can save the ID locally or choose to remember it yourself.
Type a master password only you know. GoblinPass uses it during generation, but it does not save the master password.
Pick length, counter, character groups, and password style. Example: length 16, counter 1, with lowercase, uppercase, numbers, and symbols enabled.
Press Generate & copy. The same Website ID, Master Password, counter, and enabled optional factors will regenerate the same password later.
YubiKey PRF guide
YubiKey mode is for high-value accounts such as email, banking, GitHub, PayPal, and crypto. It requires Windows 11 and a YubiKey that supports PRF/hmac-secret. GoblinPass does not use the YubiKey as ordinary login-only 2FA; the PRF result becomes part of the generated password.
Use Windows 11 with a current Chromium-based browser and a YubiKey that supports PRF/hmac-secret. If PRF data is not returned, GoblinPass stops instead of generating a normal fallback password.
With YubiKey enabled, the password recipe becomes Website ID, Master Password, optional Additional Secret, and YubiKey PRF. Without the same YubiKey PRF result, the same password cannot be regenerated.
No registration is needed in GoblinPass. When you generate, authenticate with your physical YubiKey/security key.
Please sign in to goblinpassuk.github.io.
If Windows asks for your security key PIN, enter the PIN for the YubiKey, then touch the key when prompted.
If PRF fails, GoblinPass will show a warning and will not generate the YubiKey-protected password.
Mobile YubiKey PRF support is more inconsistent than Windows 11. If the browser or phone does not return PRF data, GoblinPass will stop rather than generate a fallback password.
Generator
The Generator tab is where the password is recreated. The most important inputs are the Website ID and Master Password. Optional fields can help you label an entry or save local metadata in the vault.
Example: 22. This is the site number you choose and
reuse for that account. The same ID is needed to regenerate the same
password later.
Example: facebook.com and myemail@hotmail.com.
These can help identify the entry locally, especially if you use
alias emails.
This is the private secret only you know. GoblinPass uses it during generation and does not save it in the vault.
Length controls the output size. Counter lets you move to a new password for the same site without changing the Website ID.
Tool preview
These example screens show the basic flow: generate a site-specific password, set a local vault PIN, save an entry, and reveal only the first part of the password as a hint when needed.
Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.
Create a permanent 4 digit vault PIN. This PIN will be required to view saved IDs.
Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.
Site: facebook.com
Login: myem***il@hotmail.com
Password hint: ******
Length: 16 - Counter: 1
Saved encrypted on this device. Your vault PIN is required to decrypt saved entries.
Site: facebook.com
Login: myem***il@hotmail.com
Password hint: jFX5@
Length: 16 - Counter: 1
GoblinPass can include an option to save full login information for an entry. That can expose the email address used for the account, so it is best treated as a deliberate choice rather than a default habit.
If you use alias emails, saving the login locally can help you keep track of which alias belongs to which website. This can be useful when the information stays local and is protected carefully.
Settings tab
Settings let you choose optional behaviour once, then keep using the generator without ticking the same boxes every time. Preferences are saved locally in the browser, but private secrets such as the master password and Additional Secret are not saved.
Additional Secret
The Additional Secret adds an extra secret to generation. It is required in full when enabled and is not stored by GoblinPass.
Trusted Device Protection
If the Trusted Device Key is lost and no recovery key was saved, matching passwords cannot be recovered.
Maximum Security remains the default. Memorable passwords can be easier to type on TVs, consoles, and handheld devices.
Google is not required. If Google Security Factor is enabled, the same Google account is needed to regenerate matching passwords.
Password tips
Every important website should have a unique password. Reusing one password across many sites turns one breach into many possible account takeovers.
Your main Gmail, Hotmail, Outlook, or private email account should be treated like a master key because it can reset many other accounts.
Changing Password1 to Password1! is not enough. Attackers often try common variations after a leaked password appears.
Email aliases can reduce exposure and make leaks easier to isolate, but they do not stop phishing. Still check suspicious emails and links.