hassle-free password manager

Passwords you control.
Clarity you feel.

A local-first vault that works like a spreadsheet — fast edits, categories, one-tap copy — while your secrets stay encrypted on-device. Optional sync stores only ciphertext in your database; your master password never leaves your hands.

Getting started Sign In

Built for flow

No vault-inside-vault navigation. One grid: site, URL, username, password, notes — edit inline, expand rows for URL & memo, filter and sort. Categories keep teams and life buckets tidy.

Spreadsheet brain, vault muscle

Type directly in the grid. Reveal or mask passwords per row or globally. Copy username or password in one click; copied passwords auto-clear from the clipboard after 20 seconds.

Categories & search

Drag to reorder folders in settings. Search spans site, URL, username, notes, memo, and category — find the right row without hunting through menus.

Strong passwords, fast

Built-in generator with length and character-class controls, CSPRNG-backed generation, and bias-mitigated modulo — then drop the result straight into the row.

Security that earns the name “vault”

Cryptography runs in your browser via the Web Crypto API. Data at rest in IndexedDB is encrypted; the key material derived from your master password exists in memory only while unlocked.

Key derivation & encryption

PBKDF2-SHA256 with a per-vault salt and 310,000 iterations stretches your master password into a 256-bit key. Entry passwords and the TOTP secret are sealed with AES-GCM-256 and a random 12-byte IV per encryption — modern AEAD, not home-grown crypto. 

master password + salt
        │
  PBKDF2-SHA256 (310k)
        ▼
 AES-GCM key (memory only)
   ├── verifier (proves master password)
   ├── TOTP secret
   └── each entry password (own IV)

What never gets stored

Master password Neither plaintext nor a reusable hash is written to disk or sent to a server.
Derived AES key Lives in memory for your session; discarded on lock or when you close the tab.
Server-side knowledge Google sign-in only proves identity. Optional sync uploads the same ciphertext JSON you could export — never your master password or keys.

Optional sync — encrypted blobs, not trust

When signed in, your vault can sync automatically as encrypted data in your database (e.g. Supabase with row-level security). The server stores what your browser already had: ciphertext. Unlocking still requires your master password and 6-digit TOTP on every device.

Conflict handling

Reconciliation uses vault metadata timestamps so the newest snapshot wins when merging local and remote — predictable behavior for a personal vault.

Portable backups

Export a JSON backup anytime from settings or the lock screen. Import replaces or restores a device — ideal for migration or cold storage alongside sync.

Auto-lock

Idle timeout (1–30 minutes or off) locks the vault automatically. Activity resets the timer so brief walks away don’t leave rows exposed.

Getting started

First launch walks you through a vault you actually own — no vendor password to forget on top of your own.

  1. Sign in with Google Identity for sync only — it doesn’t unlock your vault.
  2. Create a strong master password 10+ characters; strength meter nudges you toward better entropy.
  3. Scan the TOTP QR Use Authenticator, 1Password, Authy, etc., then confirm with a 6-digit code.
  4. Add rows like a sheet Sites, passwords, categories — save and sync when you’re ready.

Ready when you are

Same tool for weekend admins and daily operators: fewer clicks, fewer tabs, more confidence that your credentials never left encryption you control.

Getting started Sign In