Security Overview

Unique passwords from repeatable private inputs

GoblinPass is stateless: the generated password is recreated from the same inputs instead of being stored in an online vault.

Website ID + Master Password + Optional security factors = Generated Password

No passwords are stored on GoblinPass servers. Optional vault metadata can stay local on your device if you choose to use it.

Visual model

What each tool is protecting

GoblinPass now separates the experience into clear local tools: generation, encrypted notes, and Security Map metadata.

Stateless Gen 2.0

Website ID + Master Password + Unlock Factor = Generated Password

Gen 2.0 can auto-record map details, but the password itself is still regenerated rather than stored.

Secure Notes

Plain Notes + Security Key = Encrypted Export

Secure Notes are opened locally and exported as encrypted data for the same unlock method.

Future unlocks

YubiKey Passkey Biometrics

YubiKey is working now. Passkey and biometric options are shown as planned routes rather than hidden surprises.

Optional protection layers

Extra controls when you want them

These settings are optional. Existing passwords stay the same unless a user deliberately enables an extra factor and keeps using it.

Trusted Device Protection

Trusted Device Protection adds a hidden local key to password generation. Passwords created with it enabled cannot be recreated on another device unless the recovery key is restored.

If the Trusted Device Key is lost and no recovery key was saved, passwords generated with this feature cannot be recovered.

Additional Secret

The optional Additional Secret is a second secret typed or selected by the user every time. GoblinPass does not store it, export it, or save it in the vault.

The full Additional Secret is part of the deterministic password input, so partial prompts are not used.

Google Security Factor

When enabled, GoblinPass requires Google Sign-In and uses the stable Google account subject ID as an extra password ingredient. It does not use your email address.

If this is enabled, the same Google account must be used to regenerate the same passwords.

YubiKey PRF

YubiKey PRF mode uses a supported hardware key as part of the password recipe. This is not normal login-only two-factor authentication: the YubiKey must return PRF data before the same password can be regenerated.

This feature is intended for Windows 11 with a YubiKey that supports PRF/hmac-secret. If the browser, operating system, or key does not return real PRF data, GoblinPass stops instead of silently falling back to the normal formula.

YubiKey setup guide

Copy Password Only

Copy Password Only copies the generated password to the clipboard without displaying the full value on screen. This can reduce casual exposure, but it does not protect against a compromised device.

Google Security Factor

Why Google sign-in can be a powerful extra layer

Google Security Factor is optional and separate from normal generation. When it is off, GoblinPass keeps the standard formula unchanged. When it is on, the signed-in Google account becomes another hidden ingredient in the password derivation process.

What sign-in looks like

GoblinPass uses Google Identity Services for basic sign-in. It uses a frontend Client ID only, with no client secret, because this is a static GitHub Pages app.

What is used

Google provides a stable account subject ID. GoblinPass can use that ID as hidden input material during password derivation. The email address is not used as the password ingredient, and the subject ID is not shown as a normal setting.

This is derivation input, not a public password field. It should be thought of as an extra account-bound factor used alongside the Website ID, master password, and optional Additional Secret.

Why it helps

With Google Security Factor enabled, someone who only knows your master password and Website ID still should not be able to recreate the same passwords without also signing into the same Google account. In practice, that means an attacker would need to defeat your Google account protection as well as know your GoblinPass inputs.

Important limits

This does not make GoblinPass unhackable. A fully compromised device, malicious browser extension, phishing attack, or stolen Google session can still create risk. If you enable this feature, protect your Google account with a strong password and two-factor authentication.