Features

Everything built for security-first users

CredentialBase gives you every tool to manage credentials securely — autofill, sharing, sessions, notes, and more — all encrypted end-to-end.

Vault security

Zero-knowledge vault encryption

Every item is encrypted on your device before it leaves. PBKDF2 derives an encryption key from your master password that never transmits to our servers — making every vault item unreadable to us.

  • PBKDF2 with 600,000 iterations and SHA-256 — brute-force resistant
  • Separate enc key (device-only) and auth key (server) derived from same master password
  • AES-256-GCM encryption with a random 12-byte IV per item
  • Enc key stored as non-extractable CryptoKey — cannot be accessed by JavaScript
  • Server stores only encrypted blobs — a breach exposes nothing useful
encryption.ts
masterPassword// typed by user, never stored
↓ PBKDF2(600k, SHA-256)
authKey// → server (bcrypt hashed)
encKey// stays in browser only
↓ AES-256-GCM(encKey, iv)
encryptedBlob// → server storage
Login autofill

One-click login autofill

CredentialBase injects a 🔑 icon into every password field it detects. Tap it to see matching credentials for the current domain. Works with every JavaScript framework — React, Vue, Angular, vanilla.

  • Matches logins by domain from encrypted in-memory cache
  • Fires native input events — React useState and Angular forms detect the fill
  • Finds username field by autocomplete attribute or form proximity
  • Works with multi-step flows (username page, then password page)
  • No network call needed — credentials served from session cache
login.example.com
username
password
🔑
G

GitHub

dev@example.com

E

example.com

john@example.com

Card autofill

Credit and debit card autofill

CredentialBase detects card number fields via autocomplete attributes and injects a 💳 icon. Select your card and all fields fill instantly — number, expiry, CVV, and cardholder name.

  • Detects cc-number, cc-exp, cc-csc, cc-name fields
  • Works on all major checkout pages including Shopify, WooCommerce, Stripe forms
  • Card numbers stored encrypted — revealed only on explicit user action
  • Expiry filled as MM/YYYY or MM/YY based on field format
  • Multiple cards stored — pick the right one from picker
checkout.shop.com
Card number
💳
MM / YY
CVV
💳

Visa Gold

•••• 4242

💳

Mastercard

•••• 5353

Secure sharing

Share credentials securely — without trusting us

Generate a time-limited share link for any vault item. The decryption key lives only in the URL fragment — it is never sent to our servers. Even a database breach cannot expose shared credentials.

  • Random 32-byte key generated in browser per share
  • Key placed in URL fragment (#) — omitted from HTTP requests by browser spec
  • Expiry options: 1h, 24h (7d, 30d on Pro)
  • Optional SHA-256-hashed PIN for extra protection
  • Recipient decrypts in browser — no extension required to view
  • View limit: revoke automatically after N views
Generated share link:
https://credentialbase.com/share/a3f9c2d1-4e5b-6789#K3mN9pQ2rS5tU8vX

Path (server sees)

UUID → encrypted blob lookup

Fragment (browser only)

Decryption key. Never in HTTP request.

Expires in: 24h
PIN: enabled
Session control

See and revoke every active session

Session management shows every device logged in to your vault with device info, IP address, and last-active time. Revoke suspicious sessions instantly without changing your password.

  • See device name, browser, IP, and last-active timestamp
  • Revoke a single session or all sessions except current
  • Sessions auto-expire after 7 days of inactivity
  • Each session uses a unique refresh token — revocation is immediate
  • Ideal for shared computers or stolen device scenarios

Active Sessions

Chrome on macOS

192.168.1.1 · Now

Current

Chrome on Windows

10.0.0.45 · 2h ago

Chrome on iPhone

172.16.0.1 · 1d ago

Master password

Change master password without losing data

Changing your master password re-encrypts every vault item client-side before syncing to the server. No data loss, no re-login required on other devices — your vault migrates seamlessly.

  • Derives new auth key and enc key from new master password
  • Re-encrypts all vault items with new enc key in browser
  • Batch syncs re-encrypted items to server in single request
  • Old enc key destroyed — old password cannot decrypt
  • Other sessions invalidated — forces fresh login with new credentials
Change password flow:
1.Derive new enc key from new password
2.Fetch all vault items
3.Re-encrypt each item client-side
4.Batch sync to server
5.Invalidate old sessions
6.Update vault store
Zero items lost. Zero plaintext transmitted.
Secure notes

Store secrets beyond passwords

Secure notes let you store SSH keys, recovery codes, API keys, and any sensitive text — all encrypted with the same AES-256-GCM as your passwords. Copy with one click, never shown in plaintext at rest.

  • Same encryption as vault items — server sees only ciphertext
  • No length restriction on note content (7KB per item limit)
  • One-click copy — content revealed temporarily only when you request it
  • Shareable via secure link — same zero-knowledge share architecture
  • Searchable by title in popup — content never scanned
SSH Keys — Production
-----BEGIN OPENSSH PRIVATE KEY-----
••••••••••••••••••••••••••••••••
••••••••••••••••••••••••••••
-----END OPENSSH PRIVATE KEY-----

Start today

Your passwords deserve better.

Free forever. Upgrade when you need unlimited. Zero-knowledge from day one.

No credit cardFree foreverNo tracking50 items free