Changelog

    What's new in Pwdly

    Every shipped feature, fix and security update. No marketing fluff — just the diff. Read the deeper context on the News blog or our security model.

    • featureAdded double-click functionality for inline editing.
    • improvementAdded right-click context menu for quick actions on Dashboard.
    • improvementAdded CMD/Ctrl-click functionality for multi-select actions.
    • improvementEnabled sticky actions column for better visibility.
    • featureShared TOTP codes now publicly available! Attach an authenticator secret to any credential and every project member gets a live, auto-refreshing six-digit code without a separate app.
    • featurePhone-as-scanner: generate a short-lived QR pairing link so your phone camera can capture a service's TOTP QR and securely relay the encrypted secret to your desktop browser.
    • improvementDisplay TOTP codes inline in dashboard with live countdown ring and copy.
    • featureTOTP/authenticator code generation rolled out to all public beta testers.
    • improvementMobile layout improvements across the Dashboard and Projects pages.
    • improvementCredential list now displays an icon when a TOTP code is configured.
    • fixCredential modal now always fetches fresh data on open, preventing stale content.
    • featureBeta - implementation of TOTP/authenticator code generation per credential.
    • improvementExpanded coverage and depth of password manager comparison pages.
    • improvementFurther accuracy checks and fact-checking pass across comparison pages.
    • featureAdded magic link authentication flow.
    • improvementImproved edge function deployment process.
    • securityVersion bump on several dependencies for continued security enhancements.
    • fixFixed occasional race condition in KDF pepper fetching whilst existing session exists.
    • improvementImproved recording of login attempts & UI.
    • featureLogin attempts from differing sources now tracked separately.
    • securityStrengthened KDF pepper endpoint access control.
    • improvementImproved mnemonic error wording.
    • improvementImproved enforced MFA flow UI/UX.
    • improvementImproved naming & branding within payment checkout.
    • fixAdded privacy policy, support email & support links within payment journey.
    • improvementImproved interface of user login history, grouping by IP address.
    • fixMinor administration fixes to support user onboarding.
    • securityIndependently audited & reviewed GDPR compliance.
    • improvementMoved Google-hosted fonts to local hosting for improved privacy.
    • securityStrengthened key derivation with a server-side KDF pepper.
    • securityAdded Content-Security-Policy with SHA-256 script integrity hashes.
    • securityHardened HTTP security headers across all responses.
    • securityAdded Cloudflare Turnstile to block automated sign-up and login attempts.
    • improvementRevised seat enforcement and pricing model for Teams plans.
    • securityPublished security disclosure policy and security.txt at /.well-known/security.txt.
    • fixPrivacy policy corrected — clarified that the master key never touches localStorage.
    • improvementDocumented the 6-digit invite code Argon2id derivation and rate-limiting on the security page.
    • featureBulk actions for credentials — select, move, and delete multiple items at once.
    • improvementDrag-and-drop reordering for credentials within a project.
    • improvementCustom fields now included when sharing a credential.
    • improvementAuto screen-lock uses tab-visibility combined with idle detection for faster locking.
    • improvementRefined transactional email templates for compatibility across email clients.
    • improvementAudit trail extended to cover all credential sharing actions.
    • improvementImproved invite flow with smart suggestions and better email handling.
    • improvementUnified owner and admin roles for clearer team permission wording.
    • improvementMoved export and account controls to the Profile page.
    • featureCredential sharing — share individual credentials with team members based on your plan tier.
    • featureShareable secure links for one-off credential transfers.
    • improvementTeams and admin project handling improvements.
    • featureTeam management with roles, permissions, and per-project member editing.
    • featureAdmin controls including project deletion.
    • improvementTeam member visibility and UI improvements.
    • featureAudit trail for Pro teams — see who viewed, edited or shared each credential.
    • improvementHow-Sharing-Works walkthrough added to the Security page.
    • fixFixed a race condition when re-wrapping project keys for newly accepted invitees.
    • securityConcurrent sign-in attempts from different locations are now flagged and blocked.
    • featureLogin activity tracking with device and browser detail per session.
    • improvementFree plan import limits enforced.
    • improvementNavigation and layout responsiveness improvements.
    • featureSecure credential sharing via expiring links.
    • featureUnified import modal supporting CSV, JSON, Chrome, and Firefox password exports.
    • featureCredential export with explicit warnings when the output format is unencrypted.
    • improvementCustom field values included in credential exports.
    • featureAudit log with field-level change tracking — see exactly what was modified on each credential.
    • improvementMnemonic input now supports pasting multiple words at once with improved keyboard navigation.
    • improvementRenamed 'recovery phrase' to 'login phrase' for clarity.
    • improvementLogin session visibility and messaging improvements.
    • featureSeat-based billing and plan enforcement for Teams.
    • improvementBilling email notifications for seat changes and renewals.
    • improvementIn-app feedback when a team is at or over its seat limit.
    • improvementImproved invite flow and email handling for team onboarding.
    • improvementEnhanced team and member management UI.
    • featureEmail verification and self-service password reset.
    • featureLogin tracking by device and browser for each session.
    • securitySecurity alert emails sent when a sign-in occurs from an unrecognised device.
    • improvementDashboard filtering and sorting improvements.
    • improvementMobile responsiveness pass across key screens.
    • improvementArgon2id parameters raised to 64 MB / 2 iterations to align with current OWASP guidance.
    • featureGeo-based login tracking — sign-ins from unfamiliar locations are flagged for review.
    • improvementLogin alert emails now include location and device detail.
    • securityHardened CSV import to safely handle malformed or unexpected input files.
    • improvementCustom fields UI improvements.
    • featurePayment billing and subscription management.
    • featureTeams dashboard with seat and billing overview.
    • featurePasskey sign-in and vault auto-lock on idle.
    • improvementMulti-factor authentication flow improvements.
    • featureWebAuthn (passkey) support added.
    • improvementSign-up and profile UI improvements.
    • featureMulti-factor authentication.
    • featureProfile and settings pages.
    • featureProject member management and team invites.
    • improvementDashboard and navigation UI improvements.
    • featureCredential management — notes, custom forms, and project-level organisation.
    • featureProject deletion and validation rules.
    • featureCSV import for bulk credential onboarding.
    • featureCore vault, projects, and invite system.
    • securityArgon2id integrated for master key derivation.
    • featureInitial vault architecture.
    • featureVault unlock using recovery phrase with master key persisted for the session.
    • featureCopy-to-clipboard for decrypted passwords.
    • featureProject users and pending invitations visible in the dashboard.
    • improvementClearer messaging when signing in from a new or unrecognised device.
    • featureMoved from traditional server-rendered backend to a modern edge-first architecture.
    • featurePer-project encryption silos with 6-digit out-of-band invite codes.
    • securityZero-knowledge architecture: XChaCha20-Poly1305 + Argon2id, all crypto in the browser.
    • securityDevice authorisation checks — sign-ins from unrecognised devices require explicit approval.
    • featureProject invitation system with full acceptance flow for new and existing users.
    • featureClick-to-decrypt credentials — vault stays locked until you request a value.
    • featureRegistration flow with recovery phrase generation and password strength validation.
    • improvementImproved mnemonic entropy for stronger recovery phrases.
    • improvementAuthentication error handling and user feedback improvements.
    • featureInitial concept using Argon2id for key derivation.
    • featureProject management — create, organise, and control access to projects.
    • featureFull credential management with search, filtering, and clipboard copy.
    • featureProject invitation system with email-based onboarding.
    • improvementPassword strength indicator across sign-up and credential forms.

    No cookies. No tracking. No banners (almost).

    We use privacy-friendly, cookieless analytics (Umami) to count page views — no personal data, no profiling, no third-party scripts. Read more.