Security Model

Security Model

Understand how GoblinPass protects your passwords and how it compares to traditional stateless password managers.

Security Feature Legend

Additional Secret

Requires an extra secret phrase.

Trusted Device ID

Password is tied to a trusted local device.

Copy Only

Password is copied directly, not shown.

Google Factor

Google account sign-in adds an extra factor.

YubiKey

Requires a physical YubiKey (WebAuthn).

Security Layers Diagram

What becomes the generated password?

Stateless password tools recreate passwords from repeatable inputs. GoblinPass can add optional independent layers, while keeping each layer transparent to the user.

LessPass

Site Name + Username + Master Password = Password

Threat Protection Matrix

Common risks and realistic protection

The table below is educational, not a guarantee. Protection depends on which optional GoblinPass features are enabled and how carefully the user protects their device, Google account, and recovery information.

Protected Partial Protection Vulnerable Equal
Threat Competitor (LessPass) GoblinPass Advantage
Website Database Breach Protected Protected Equal
Cloud Vault Breach Protected Protected Equal
Password Reuse Protected Protected Equal
Keylogger Attack Vulnerable Protected
Shoulder Surfing Vulnerable Protected
Screen Watching Vulnerable Protected
Clipboard Monitoring Vulnerable Protected
Device Theft Protected Partial Protection ?
Lost Device Protected Vulnerable
Fully Compromised Computer Vulnerable Partial Protection ?
Malware Reading Memory Vulnerable Partial Protection ?
Recovery warning

If any required security method is lost, such as your master password, Additional Secret, Trusted Device ID, Google Factor, or YubiKey, you may be unable to re-generate the same password. Google Factor can only act as a recovery path if the password recipe was intentionally created with Google Factor and without using a master password.

Security Layers Comparison

Independent layers matter

1

LessPass

LessPass mainly depends on one secret layer: the master password. The site and login inputs identify the account, but they are often visible or guessable.

Important Reality Check

No tool removes every risk

GoblinPass is designed to reduce common risks, but it does not make a compromised device safe. No password manager can protect against every attack.

Fully compromised computers

If an attacker controls the machine, they may be able to see inputs, outputs, browser content, and clipboard activity.

Complete system malware

Advanced malware can observe memory, keystrokes, screen content, and browser behaviour. Extra layers can reduce risk, but not eliminate it.

Operating system control

If attackers control the operating system, they can often bypass normal application boundaries and observe trusted actions.

GoblinPass Advantages

Designed for transparency and practical privacy

Site IDs

A private ID can avoid placing the real site name or email address into the generation formula every time.

Local Vault

Optional vault details stay on the device. The vault can help track IDs and aliases without requiring an online password vault.

Additional Secret

A second secret can be entered normally, through a shuffled keyboard, or through a mobile combination-style selector.

Trusted Device Secret

A hidden local key can bind generated passwords to a trusted device unless the recovery key is restored elsewhere.

Recovery Key

Recovery keys let users move Trusted Device Protection to another device, but they must be stored safely offline.

YubiKey PRF

A supported YubiKey can act as a hardware password ingredient. If PRF data is not returned, GoblinPass stops instead of generating a YubiKey-protected password without the key.

Optional Google Factor

Google Security Factor can require the same Google account as an additional derivation ingredient without making Google mandatory.