Zero-Knowledge Architecture: Paskey is designed so that your passwords are never transmitted, stored, or known by anyone but you. All password generation happens 100% locally in your browser using cryptographic algorithms.
🛡️ Security Overview
Key Principle: Paskey uses a deterministic password generation algorithm. Your passwords are mathematically derived from your inputs and are never stored anywhere - not on our servers, not in databases, not even in your browser's storage.
What Makes Paskey Secure
No Password Storage: Unlike traditional password managers, we don't store your passwords. They're generated on-demand.
Client-Side Only: All cryptographic operations happen in your browser. Nothing sensitive ever leaves your device.
Deterministic Generation: Same inputs always produce the same password, so you can regenerate it anytime.
Strong Cryptography: Industry-standard cryptographic algorithms designed to resist brute-force attacks.
⚙️ How Password Generation Works
Paskey generates passwords using a secure, deterministic process:
The Process
Authentication: You sign in with your Google account to establish your identity
Your Inputs: You provide a secret phrase, domain name, and optional settings
Local Generation: Your browser combines these inputs using cryptographic functions to generate a unique password
Consistency: The same inputs will always produce the same password on any device
What This Means For You
You only need to remember your secret phrase
Your passwords are never transmitted over the network
Even if our servers were compromised, your passwords remain safe
You can generate the same password on any device by using the same inputs
📊 Data We Collect
Information We Collect
Google Account Info: Email, display name, and profile picture (for authentication and display purposes only)
Account-Specific Data: Random values unique to your account required for password generation
Encrypted Domain History: The names of domains you've generated passwords for (encrypted before storage)
Information We NEVER Collect or Store
The following are NEVER transmitted to or stored on our servers:
Your secret phrase
Your generated passwords
Your master key or any derived cryptographic keys
Any data that could be used to recreate or guess your passwords
User Document: Contains your email and encrypted domain list
Security Rules: Each user can only access their own document
Data Encryption
Domain history is encrypted before being stored. The encryption key never leaves your browser and is not stored on our servers.
🔒 Security Measures
Automatic Security Features
Feature
Description
Password Auto-Clear
Generated password clears from display after 60 seconds
Clipboard Auto-Clear
Clipboard is cleared 30 seconds after copying
Tab Switch Protection
Secret phrase and password clear when you switch tabs
Secure Input Fields
Password fields are masked by default with toggle visibility
HTTPS Only
All connections are encrypted using TLS
Content Security Policy
Strict CSP headers prevent XSS attacks
Cryptographic Security
Web Crypto API: All cryptography uses the browser's native, audited implementation
No Third-Party Crypto Libraries: Reduces supply chain attack surface
Secure Random Generation: Password characters are selected with uniform distribution
👤 Your Rights
You have full control over your data:
Access: View your domain history anytime
Delete: Clear individual domains or entire history with one click
Export: Your data is visible and can be manually recorded
Portability: Since passwords are deterministically generated, you can use the same inputs on any device
Account Deletion: Contact us to completely delete your account and all associated data
⚖️ Legal Disclaimer
Important: Please read this section carefully.
No Warranty
Paskey is provided "AS IS" without warranty of any kind, express or implied. We do not warrant that the service will be uninterrupted, secure, or error-free.
Limitation of Liability
In no event shall Paskey, its creators, or contributors be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising from:
Your use or inability to use the service
Any unauthorized access to or use of our servers
Any loss of data or passwords
Any bugs, viruses, or similar issues transmitted through the service
Password Responsibility
You are solely responsible for:
Remembering your secret phrase - we cannot recover it
Keeping your Google account secure
Verifying generated passwords work before changing existing passwords
Maintaining backups of critical account recovery information
Not a Password Manager
Paskey is a password generator, not a password manager. We do not store your passwords. If you forget your secret phrase or lose access to your Google account, your generated passwords cannot be recovered.
If you discover a security vulnerability, please report it responsibly by contacting us directly rather than posting publicly. We appreciate your help in keeping Paskey secure.
📝 Changes to This Policy
We may update this privacy and security policy from time to time. We will notify you of any significant changes by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.