Security That's Mathematically
Impossible to Break
Every credential is encrypted in your browser before it ever leaves your device. Our database stores only ciphertext - scrambled data that is useless without your 3-word recovery phrase. Even if our entire database were leaked, no passwords could be recovered.
Why We Are Different
The Dual-Gate architecture separates identity from authorization, making Pwdly immune to the breaches that have plagued legacy managers.
Identity Layer
Your email and password authenticate you to our server. This proves who you are, but gives you access to nothing but encrypted blobs.
Authorization Layer
Your 3-word recovery phrase + your email + a global pepper are fed into Argon2id to derive a key that decrypts your Master Key - entirely in your browser. The Master Key exists only in volatile RAM for the duration of your session.
We Can't See Your Data
The server stores only the encrypted master_key_blob, a salt, and your public key. It never sees your 3 words, the Derived Key, or the Master Key.
RAM-Only Master Key
On every login, your browser re-derives the key from your 3 words + email + salt, decrypts the master_key_blob, and holds the Master Key only in volatile browser memory.
Per-Project Encryption
Each project has its own Project Key, wrapped (encrypted) by your Master Key using XChaCha20-Poly1305. Credentials are encrypted field-by-field with unique random nonces.
Technical Deep-Dive
Battle-tested cryptographic primitives with parameters designed to withstand modern attack vectors.
Argon2id Key Derivation
Your 3-word recovery phrase is transformed into a Derived Key using Argon2id, the winner of the Password Hashing Competition. This Derived Key then decrypts your Master Key (stored as an encrypted blob on the server).
- Memory-hard: Requires 64MB of RAM per derivation, making GPU attacks impractical
- Side-channel resistant: Protected against timing attacks via Argon2id hybrid mode
- Input binding: Your 3 words + email + global pepper (pwdly-zero-knowledge-v1) are combined
- Separate Master Key: A random 32-byte Master Key is generated by libsodium's CSPRNG, then wrapped by the Derived Key
How Credentials Are Encrypted
Each credential (name, username, password, email, URL, notes) is encrypted field-by-field using XChaCha20-Poly1305 with a Project Key (or the Master Key for personal vault items). Each encryption operation uses a unique random 24-byte nonce prepended to the ciphertext.
- All encryption/decryption happens client-side in your browser
- Keys are generated using libsodium's cryptographically secure RNG
- XChaCha20-Poly1305 provides authenticated encryption - tamper-proof
- Unique nonces per field prevent pattern analysis across entries
How Sharing Works
The key insight: invited users never need the owner's 3 words. A temporary 6-digit invite code acts as a one-time secure handoff mechanism. After acceptance, each user holds an independent encrypted copy of the Project Key, decryptable only by their own Master Key.
Owner Invites
Owner's browser already has the Project Key in memory (unwrapped from their Master Key)
A random 6-digit invite code is generated
The code + invitee's email are fed into Argon2id (64MB, 2 iterations) to derive an Invite Key
The Project Key is wrapped with the Invite Key using XChaCha20-Poly1305 and stored
The 6-digit code is shown to the owner to share out-of-band (verbally, secure channel, etc.)
Invitee Accepts
Invitee enters the 6-digit code in their browser
Browser re-derives the same Invite Key using code + their email + stored salt (Argon2id)
The Invite Key decrypts the wrapped Project Key - now in browser memory
The Project Key is immediately re-wrapped with the invitee's own Master Key and stored
The pending invite is deleted - the 6-digit code becomes useless
The 6-digit code is only valid until used or expired.
The code is bound to the invitee's email - intercepted codes won't work for a different address.
After acceptance, each user unlocks via their own 3 words → Master Key. No ongoing dependency.
Libsodium Cryptography
All cryptographic operations happen in your browser using libsodium-js, a JavaScript implementation of the industry-standard NaCl library. This means:
- All encryption/decryption happens client-side - nothing leaves your browser unencrypted
- Master Key and Project Keys are generated using libsodium's CSPRNG, not on our servers
- Constant-time operations prevent timing attacks
- Audited, battle-tested cryptographic primitives
What If We Are Hacked?
Let's walk through exactly what an attacker would find with full database access.
Attacker gains full database access
Through SQL injection, insider threat, or server compromise
- Email addresses
- Encrypted master_key_blob per user
- Encrypted wrapped_project_key per project member
- Encrypted credential fields (ciphertext blobs)
- Random salts and nonces
- Your 3-word recovery phrase (never stored)
- Derived Keys (computed in browser, never sent)
- Master Keys (exist only in volatile RAM)
- Project Keys (wrapped, unreadable without Master Key)
- Any plaintext credential data
Attacker attempts brute force
Trying to crack the encryption without the 3-word phrase
- XChaCha20-Poly1305 encrypted blobs (256-bit keys)
- Argon2id-protected derivation requiring 64MB RAM per attempt
- Per-user unique salts preventing rainbow tables
- Any computational shortcut past Argon2id
- Patterns in encrypted data (each field has unique nonce)
- Weak key derivation to exploit
Attack becomes economically infeasible
The math makes decryption impossible without the 3-word phrase
- Useless encrypted blobs - indistinguishable from random noise
- No metadata to correlate (names, URLs all encrypted)
- No keys to derive without the mnemonic + email + pepper
- Your credentials - ever
- Project information - ever
- Anything valuable - computationally indecipherable
The Bottom Line
Without your 3-word recovery phrase, our entire database is cryptographically useless. Not "hard to crack" - mathematically impossible with current technology. The server stores only ciphertext and encrypted key blobs.
See What We Actually Store
This is a realistic preview of what our production database actually stores. Even with full access, every field is an indecipherable encrypted blob.
We literally cannot read your data.
SELECT * FROM credentials LIMIT 6
| uuid | encrypted_name | encrypted_username | encrypted_email | encrypted_password | encrypted_url | encrypted_notes | created_at |
|---|---|---|---|---|---|---|---|
| 4011c868... | FhnGW5jSRZZ+wseIu8RNsfCcqCwtiQsHSOZf3GsIACQY852QTI8FgSauULTUAfd7/mMdXd | KErFPLQTeS23iKSiyiY9KE9oeL/+sTCqSnU4h0Jfzsea7WJRG | sbhisSqPwny7h4pfOsQDSqj0gQosGoKreJ2Kk9BpqJt0VD9W=C=pwkQH5 | KB2h2MFSCC=OWSo7GPID9ro=jTQ6JPwpgbcZNL9jsPzB | =lw9VqGaM27ckzg7ZK56eBHRzEaT90=XofFLCJHOJNo=wb4DMdtwxJMqidfdcqpjxU | qSjxvxIIX19DF76a9l7GuuBseo4E4+5m9qWy0Z08c4zYaoZOy | 2026-04-02 11:21:13 |
| c7b37a8b... | cMnqg5r6/VKoWXqOg6flpOipwoMN6iOs9zuptDV5rLSzlHnzNtru6gkm3e7ZbOTE5 | 7VJzxWzvZrNwFvk2IsIBH0bSSsp+CD0z8agsvPT2Rz81sy98PRvXFj | 03SF7Fkeko0isnyXfVyqPvj2Y2wR4KMMHmweeWHD0bE+Cpb414p+RRT | aapvMt89LoCW1e==ceH6ZkFd0n/F84+7I4ccQIkpgM6w8eIGFhV | QxVI==u+kivfmimL2YkydvVJ2/QB4MLGANP5RsEONrEmb=pdXP8qiMWIKlViy | w=Xsi1Ih=PcBr==vRgNWEoeWSf3J6mDrv5xF1u7Ew4w=y | 2026-03-29 11:21:13 |
| 37923050... | J595WGiTabimR5G6dKicCtw+4sFZF3hO1yW3lpKSMgLFM2br+f3Z4mKfeYB7tfOg | rNK+sUN8o5fWoKzq0v=38p=FgOf8ytrYv1qc7kxzj0Ki7N16 | V1rv8U1DgjhrVFXFDqmjGsLAhzORPFmxYLwnTvy3/1MqKrgUEBF9AE | NGtV=sX74ycAReLlCObGlxOq7ZXAulsnm/oADIEhhEhN | G6e2f5MGkCA3Fbe=b6TUoT7=NjlweQsv4a2fhsvaMWPFJQmS4uS+yuPa8x+l=SIX | eVOqlPyeeGWByog4yU61FaMqNFu77+tQj=wXGYPU9Hjmr2 | 2026-04-10 11:21:13 |
| d6f56031... | qRaR8FqdTmTFQ1PyZ1gij6O90ybjFSqf/KkgNFEm1ppn9fPvHWSEeis7s5+dPvleOp | 3Cue8IadrpuKwUCHS1eeLyi6IbAFsq5c1PeQhBT60UutOpPj8SL | 3k0rgt1AAECHNXSbrFVrUOgvSNXYcb9/WInyFuKX3SQUXfZiVH | 1U2lU13+orVOAN2+sL0xO7DyXczbX4y=hyr4IZVt=yS151te | lf1oI1s29ZGvOMLSK8okUm/fZpWpSmuY5Pb016D0tqQ1Aa=NNxslQebGamY3 | G=AAsJdy2vuraclWHslJzesUhHYKliZl+g+Lj4rhx6aFs3QL | 2026-04-03 11:21:13 |
| d72bc518... | UuIHSLVXzjlx3HXGsb4imcMZww+9hgRH+16rIIm4sQ=ie8UUjhP+B/VMeLV=Kodse | GXG3FerU/r8LW3z3OzZ9i+LQlvjbA4J2hW6D5K73iQnA/hUs | tSGKJR1BbKxj6zktphV8csCyKbVZ8GcBqKNTZgOd4qPjX4Gw+BoWD7 | ui+oDp7EFS8SN+uCUMnh18DhcL8EJEQpvKL5jIQpnCdX8 | QaIce7R/W8HcMdhriK3Q0qYeA0xVo7GsuTEc8nYtC/SUl58hkw238Rs17x22bX1e | 8Bq+MQCPkL9zNZ1/N1EF43JTv9KkCXKaa9Dyq9XGm3xHwQR | 2026-04-27 11:21:13 |
| 810c1228... | wECkHiOMxXJxc+gYp91WD/qqqKear4bdPWi=+WNJyFm8PhLFxwpCDnURBvDDb0dCw= | EBLHN7bVAzYI2NHWDbtq/nz6z7x03Y9LUkw3YrjiYP0d6BTWSySORNT | tb5rm2aehr3qX/mPYaC7Zg7c5VWmE7Ovy0/kx/UmthMzhj2+fM9oo | 8dKgLq753/HOofieQIgufv1gvgOEJ2oSp=8CE5QQ4pi22qO5 | rfMrX4PB4Bf=ghQDJMocvk92Mm6bFC5jcG+gSvgtvBNMIs2IU0U3WPOF0hSgYT | v+j=fEdp4=Fuufccuk=eKBn2xrILWNfc5a4lFo0oh=U=qoDC | 2026-04-18 11:21:13 |
All credential fields encrypted with XChaCha20-Poly1305 - decryption requires your 3-word recovery phrase
What you see
Random-looking base64 strings - encrypted blobs that are computationally indistinguishable from random noise.
What's hidden
Everything - site names, usernames, passwords, emails, URLs & notes. Completely unrecoverable without your 3-word recovery phrase.
What this means
Even if an attacker steals our entire database, they get nothing usable. Every single field is end-to-end encrypted with XChaCha20-Poly1305.
Pwdly vs Traditional Managers
See how our zero-knowledge architecture compares to standard master password systems.
| Feature |  | Traditional |
|---|---|---|
| Key Derivation | Argon2id (64MB, 3 iterations, memory-hard) | PBKDF2 / bcrypt |
| Authentication Model | Dual-Gate (Identity + 3-Word Authorization) | Single Master Password |
| Encryption Algorithm | XChaCha20-Poly1305 (authenticated, unique nonces) | AES-256-CBC / GCM |
| Key Storage | RAM only (volatile browser memory) | LocalStorage / Cookies |
| Server Breach Impact | Zero (encrypted blobs + wrapped keys only) | Potential vault exposure |
| Sharing Model | 6-digit code → Argon2id → independent key copy | Shared vault key or server-mediated |
| Per-Project Isolation | Unique Project Keys, wrapped by Master Key | Shared vault key |
| GPU Attack Resistance | High (64MB memory-hard per attempt) | Low to Medium |
| Recovery Option | 3-word recovery phrase (offline backup) | Email-based recovery |
Ready for Real Security?
Join teams who've upgraded from legacy password managers to true zero-knowledge architecture.