How PassCryp Works

Sign up, set a master password, install the extension. That's it. Behind the scenes, your vault key is derived locally, every item is encrypted on your device, and only ciphertext ever syncs. Here's the full flow, end to end.

Start your free vault Security model

1. Sign up in 60 seconds

Email + master password. No credit card. Account is live before your coffee cools.

2. Download your recovery kit

A one-page PDF with an encrypted recovery key. Print it, store it offline, never share it.

3. Install the browser extension

Chrome, Edge, Brave. The extension autofills logins and offers to save new credentials.

4. Import your existing vault

LastPass, 1Password, Bitwarden, Dashlane, Keeper, NordPass. CSV or native export. Field mapping is automatic.

5. Use it everywhere

Same vault on laptop, phone, tablet. Same TOTP codes. Same secure notes. Encrypted, synced, always available.

What happens when you set your master password

Your browser generates a random 256-bit vault key. PassCryp derives a wrapping key from your master password using Argon2id with 64 MB memory cost, 3 iterations, and parallelism 1 — the OWASP 2024 recommendation. The vault key is encrypted with the wrapping key and stored on our servers as an opaque blob. Your master password itself is never sent.

When you unlock on a new device, you re-enter your master password, Argon2id re-derives the wrapping key locally, and the blob is decrypted in your browser. The unwrapped vault key sits in memory only for the duration of your session.

How sync works without leaking

Every vault item is encrypted in your browser before it touches the network. Item titles, URLs, passwords, notes, TOTP seeds — all wrapped with AES-256-GCM using a fresh nonce per item. Realtime sync uses Postgres change streams, but the payloads on the wire are ciphertext + nonce + authentication tag. A subscribing device decrypts locally.

Even the database can't see your plaintext: per-row Row-Level Security ensures one user's encrypted rows are never visible to another, and the rows themselves are encrypted anyway.

What the daily workflow looks like

You visit a site. The extension detects the login form, matches the domain against your vault, and offers to fill. One click, you're in. If the site uses 2FA, the TOTP code is right there — copy-to-clipboard with 30-second auto-clear.

You sign up for a new service. The extension offers to generate a strong password (20 random characters with full symbol set). You accept, submit the form, and the extension saves the credential to your vault automatically.

You travel. Same vault, same items, same TOTP codes on every device you've ever signed into PassCryp on. Revoke any device from Settings if it gets lost.

Frequently asked questions

Do I need an account to use PassCryp?

Yes — accounts are required for cross-device sync. The generator and strength checker work without signup.

How long does setup take?

About 5 minutes including import. Signup is 60 seconds; importing an existing vault takes a few minutes depending on size.

Can I use PassCryp without the extension?

Yes — the web vault works on its own. The extension just makes autofill seamless on every site.

Does PassCryp work offline?

Yes for items you've already unlocked in this session. Changes sync when you're back online.

How do I share an item with someone?

Open the item, click Share, enter their PassCryp email. The item is re-encrypted to their public key — we never see the plaintext during sharing.

What happens if I lose my phone?

Sign in on another device, go to Settings → Devices, and revoke the lost phone's session. It can no longer decrypt anything from your vault.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault