Stateless Gen 2.0
Gen 2.0 can auto-record map details, but the password itself is still regenerated rather than stored.
Security Overview
GoblinPass is stateless: the generated password is recreated from the same inputs instead of being stored in an online vault.
No passwords are stored on GoblinPass servers. Optional vault metadata can stay local on your device if you choose to use it.
Visual model
GoblinPass now separates the experience into clear local tools: generation, encrypted notes, and Security Map metadata.
Gen 2.0 can auto-record map details, but the password itself is still regenerated rather than stored.
Secure Notes are opened locally and exported as encrypted data for the same unlock method.
YubiKey is working now. Passkey and biometric options are shown as planned routes rather than hidden surprises.
Optional protection layers
These settings are optional. Existing passwords stay the same unless a user deliberately enables an extra factor and keeps using it.
Google Security Factor
Google Security Factor is optional and separate from normal generation. When it is off, GoblinPass keeps the standard formula unchanged. When it is on, the signed-in Google account becomes another hidden ingredient in the password derivation process.
GoblinPass uses Google Identity Services for basic sign-in. It uses a frontend Client ID only, with no client secret, because this is a static GitHub Pages app.
Google provides a stable account subject ID. GoblinPass can use that ID as hidden input material during password derivation. The email address is not used as the password ingredient, and the subject ID is not shown as a normal setting.
This is derivation input, not a public password field. It should be thought of as an extra account-bound factor used alongside the Website ID, master password, and optional Additional Secret.
With Google Security Factor enabled, someone who only knows your master password and Website ID still should not be able to recreate the same passwords without also signing into the same Google account. In practice, that means an attacker would need to defeat your Google account protection as well as know your GoblinPass inputs.
This does not make GoblinPass unhackable. A fully compromised device, malicious browser extension, phishing attack, or stolen Google session can still create risk. If you enable this feature, protect your Google account with a strong password and two-factor authentication.