How It Works
PwdPal generates passwords directly in your browser using cryptography you can verify. No accounts, no servers, no data collection.
What's stored — and what isn't
Stored on your device
- Your seed phrase (in
localStorage, on this device only) - Your saved domain list and per-site preferences
- Your theme choice
Never stored, anywhere
- Your pattern — you redraw it each session
- Generated passwords — only on your clipboard, transiently
- Anything on a server — PwdPal has no backend
How a password is derived
Every password is the deterministic result of three inputs combined through PBKDF2:
master = pattern.join('-') + ':' + seed
salt = 'pwdpal:' + domain + ':' + counter
bytes = PBKDF2(master, salt, 600000, SHA-256)
password = bytesToCharacters(bytes, rules)
The same inputs always produce the same password. Different inputs always produce different passwords. There's no central record of any of this — the math is the storage.
Rotating a password
Because every password is derived deterministically from its inputs, a fresh password for the same site requires a fresh input. To rotate, append #1, #2, and so on to the domain — for example, gmail.com#1 produces a completely different password from gmail.com, and from gmail.com#2.
The rotation suffix appears as a small superscript on the saved card, and the icon still resolves to the original site — so a rotated entry stays recognisable at a glance.
Cryptographic parameters
| Algorithm | PBKDF2 (Password-Based Key Derivation Function 2) |
|---|---|
| Hash | SHA-256 |
| Iterations | 600,000 — meets the OWASP 2023 recommendation |
| Implementation | Native Web Crypto API — no third-party crypto libraries |
Verify it yourself
You can verify all of this yourself. Open your browser's DevTools and check:
- Network tab: generate a password and confirm zero outgoing requests for password material
- Application → Local Storage: see exactly what's stored, in plain text
- Sources tab: the source code and JavaScript isn't minified — every line is auditable
FAQ
What if I forget my seed?
There's no recovery, by design. Your seed and pattern are the only inputs needed to regenerate your passwords — without them, the passwords cannot be reconstructed by anyone. This is the trade-off for having security that prioritizes your full privacy.
Can you reset my passwords?
No. No one has your passwords, your seed, or your pattern, since none of these ever leave your device. So there's nothing for anyone to access.
What happens if my device is lost?
Your seed phrase is in this device's localStorage. If the device is wiped, that copy is gone — but as long as you can remember the same seed and reproduce the same pattern, you can regenerate every password on a new device by entering the domain.
Why doesn't PwdPal store my pattern?
By design. The pattern is the only input that requires drawing — it's the "something you do" factor that makes the security model work. If it was to be stored, anyone with access to your device could regenerate your passwords without you.