nopwd

Zero-knowledge · Open source · Auditable

The password manager that can't read your passwords.

Zero-knowledge by construction.
Open source by default.

Read the modelView source ↗
nopwd / crypto-model
master password
↓  Argon2id
64 MB · 3 iterations
runs only on your device, never transmitted
client keynever leaves device
↓  AES-256-GCM
each vault item encrypted individually
unique nonce per item
encrypted vaultciphertext only
↓  SRP-6a
server verifies you know the password
without ever seeing or receiving it
server holds zero plaintext
cryptographically verified, not promised
open source — read it yourself
AES-256-GCMArgon2idSRP-6aOpen sourceNo telemetryFree forever

How it works

Math, not promises.

01

Your key, on your device

When you log in, your master password runs through Argon2id locally — 64 MB of memory, 3 iterations. The derived key never leaves your device.

02

Authenticate without revealing

SRP-6a lets our server verify that you know your password without you ever sending it. Not even a hash. A compromised server learns nothing.

03

Encrypted blobs, decrypted locally

We store and sync AES-256-GCM ciphertexts. Your browser or app decrypts them with the key only you have. We cannot read them — by design.

Capabilities

Everything a password manager owes you.

All of it end-to-end encrypted. None of it readable by us.

Passkeys

The extension is a full WebAuthn authenticator. Create and use passkeys on any site; they sync inside your encrypted vault like everything else.

Recovery kit

A one-time offline code that can restore your vault if you forget the master password. The server stores a blob it cannot read — recovery stays zero-knowledge.

One-time sharing

Send a credential to anyone with an expiring link. The decryption key lives in the URL fragment and never reaches our servers.

TOTP + breach checks

Consolidate your 2FA codes and audit every password against HaveIBeenPwned via k-anonymity. Nothing leaves your device in cleartext.

Tags and instant search

Organize with encrypted tags — the server can't see how you label your life. Import from 1Password without losing a thing.

Autofill, CLI, desktop

Browser autofill, nopwd run for injecting secrets into processes, SSH agent, and biometric unlock on desktop.

Threat model

What nopwd cannot do.

We state limits before features. If you want reassurance without verification, use a different product.

Protects you from

Compromised server

Attacker gets only ciphertext. No key, no readable data.

Database breach

Each user has a unique derived key. A breach reveals no plaintext.

Network interception

SRP-6a: your password never crosses the wire, not even as a hash.

Does not protect against

Compromised device

If an attacker controls your device, they can observe decryption.

Forgotten master password without a recovery kit

Zero-knowledge means we can't reset it for you. Generate the offline recovery kit — a one-time code only you hold — or accept that loss is permanent.

Weak master password

Security is proportional to entropy. A weak key is a weak vault.

Assumes

  • The client code you run matches the open-source repository (verify with reproducible builds).
  • Your device is not compromised at the moment you unlock your vault.
  • Your master password is unique and not reused on other services.

Pricing

Simple. No catch.

Free

€0

forever

Get started free
  • Unlimited vault items
  • Sync across all devices
  • Browser extensions
  • macOS desktop + Touch ID
  • AES-256-GCM encryption
  • Argon2id key derivation
  • Team vault (up to 3 members)
  • Open source & auditable
Most popular

Pro

€4/ month

or €36/year · save 25%

Upgrade to Pro
  • Everything in Free
  • Encrypted file attachments
  • Hardware key 2FA
  • Emergency access
  • REST API access
  • Priority support

Teams

€5/ seat

per month · min 3 seats · annual

Start Teams trial
  • Everything in Pro
  • Unlimited org members
  • SSO / SAML
  • Audit logs
  • Dedicated support