Additional Secret
Requires an extra secret phrase.
Security Model
Understand how GoblinPass protects your passwords and how it compares to traditional stateless password managers.
Security Layers Diagram
Stateless password tools recreate passwords from repeatable inputs. GoblinPass can add optional independent layers, while keeping each layer transparent to the user.
Threat Protection Matrix
The table below is educational, not a guarantee. Protection depends on which optional GoblinPass features are enabled and how carefully the user protects their device, Google account, and recovery information.
| Threat | Competitor (LessPass) | GoblinPass | Advantage |
|---|---|---|---|
| Website Database Breach | Protected | Protected | Equal |
| Cloud Vault Breach | Protected | Protected | Equal |
| Password Reuse | Protected | Protected | Equal |
| Keylogger Attack | Vulnerable | Protected | |
| Shoulder Surfing | Vulnerable | Protected | |
| Screen Watching | Vulnerable | Protected | |
| Clipboard Monitoring | Vulnerable | Protected | |
| Device Theft | Protected | Partial Protection ? | |
| Lost Device | Protected | Vulnerable | |
| Fully Compromised Computer | Vulnerable | Partial Protection ? | |
| Malware Reading Memory | Vulnerable | Partial Protection ? |
If any required security method is lost, such as your master password, Additional Secret, Trusted Device ID, Google Factor, or YubiKey, you may be unable to re-generate the same password. Google Factor can only act as a recovery path if the password recipe was intentionally created with Google Factor and without using a master password.
Security Layers Comparison
LessPass mainly depends on one secret layer: the master password. The site and login inputs identify the account, but they are often visible or guessable.
GoblinPass can use up to five independent security layers: master password, Additional Secret, Trusted Device Protection, YubiKey PRF, and Google Security Factor.
Important Reality Check
GoblinPass is designed to reduce common risks, but it does not make a compromised device safe. No password manager can protect against every attack.
If an attacker controls the machine, they may be able to see inputs, outputs, browser content, and clipboard activity.
Advanced malware can observe memory, keystrokes, screen content, and browser behaviour. Extra layers can reduce risk, but not eliminate it.
If attackers control the operating system, they can often bypass normal application boundaries and observe trusted actions.
GoblinPass Advantages
A private ID can avoid placing the real site name or email address into the generation formula every time.
Optional vault details stay on the device. The vault can help track IDs and aliases without requiring an online password vault.
A second secret can be entered normally, through a shuffled keyboard, or through a mobile combination-style selector.
A hidden local key can bind generated passwords to a trusted device unless the recovery key is restored elsewhere.
Recovery keys let users move Trusted Device Protection to another device, but they must be stored safely offline.
A supported YubiKey can act as a hardware password ingredient. If PRF data is not returned, GoblinPass stops instead of generating a YubiKey-protected password without the key.
Google Security Factor can require the same Google account as an additional derivation ingredient without making Google mandatory.