Features
Everything built for security-first users
CredentialBase gives you every tool to manage credentials securely — autofill, sharing, sessions, notes, and more — all encrypted end-to-end.
Zero-knowledge vault encryption
Every item is encrypted on your device before it leaves. PBKDF2 derives an encryption key from your master password that never transmits to our servers — making every vault item unreadable to us.
- PBKDF2 with 600,000 iterations and SHA-256 — brute-force resistant
- Separate enc key (device-only) and auth key (server) derived from same master password
- AES-256-GCM encryption with a random 12-byte IV per item
- Enc key stored as non-extractable CryptoKey — cannot be accessed by JavaScript
- Server stores only encrypted blobs — a breach exposes nothing useful
One-click login autofill
CredentialBase injects a 🔑 icon into every password field it detects. Tap it to see matching credentials for the current domain. Works with every JavaScript framework — React, Vue, Angular, vanilla.
- Matches logins by domain from encrypted in-memory cache
- Fires native input events — React useState and Angular forms detect the fill
- Finds username field by autocomplete attribute or form proximity
- Works with multi-step flows (username page, then password page)
- No network call needed — credentials served from session cache
GitHub
dev@example.com
example.com
john@example.com
Credit and debit card autofill
CredentialBase detects card number fields via autocomplete attributes and injects a 💳 icon. Select your card and all fields fill instantly — number, expiry, CVV, and cardholder name.
- Detects cc-number, cc-exp, cc-csc, cc-name fields
- Works on all major checkout pages including Shopify, WooCommerce, Stripe forms
- Card numbers stored encrypted — revealed only on explicit user action
- Expiry filled as MM/YYYY or MM/YY based on field format
- Multiple cards stored — pick the right one from picker
Visa Gold
•••• 4242
Mastercard
•••• 5353
Share credentials securely — without trusting us
Generate a time-limited share link for any vault item. The decryption key lives only in the URL fragment — it is never sent to our servers. Even a database breach cannot expose shared credentials.
- Random 32-byte key generated in browser per share
- Key placed in URL fragment (#) — omitted from HTTP requests by browser spec
- Expiry options: 1h, 24h (7d, 30d on Pro)
- Optional SHA-256-hashed PIN for extra protection
- Recipient decrypts in browser — no extension required to view
- View limit: revoke automatically after N views
Path (server sees)
UUID → encrypted blob lookup
Fragment (browser only)
Decryption key. Never in HTTP request.
See and revoke every active session
Session management shows every device logged in to your vault with device info, IP address, and last-active time. Revoke suspicious sessions instantly without changing your password.
- See device name, browser, IP, and last-active timestamp
- Revoke a single session or all sessions except current
- Sessions auto-expire after 7 days of inactivity
- Each session uses a unique refresh token — revocation is immediate
- Ideal for shared computers or stolen device scenarios
Active Sessions
Chrome on macOS
192.168.1.1 · Now
Chrome on Windows
10.0.0.45 · 2h ago
Chrome on iPhone
172.16.0.1 · 1d ago
Change master password without losing data
Changing your master password re-encrypts every vault item client-side before syncing to the server. No data loss, no re-login required on other devices — your vault migrates seamlessly.
- Derives new auth key and enc key from new master password
- Re-encrypts all vault items with new enc key in browser
- Batch syncs re-encrypted items to server in single request
- Old enc key destroyed — old password cannot decrypt
- Other sessions invalidated — forces fresh login with new credentials
Store secrets beyond passwords
Secure notes let you store SSH keys, recovery codes, API keys, and any sensitive text — all encrypted with the same AES-256-GCM as your passwords. Copy with one click, never shown in plaintext at rest.
- Same encryption as vault items — server sees only ciphertext
- No length restriction on note content (7KB per item limit)
- One-click copy — content revealed temporarily only when you request it
- Shareable via secure link — same zero-knowledge share architecture
- Searchable by title in popup — content never scanned
Start today
Your passwords deserve better.
Free forever. Upgrade when you need unlimited. Zero-knowledge from day one.