Zero-Knowledge Encryption

Your passwords
never leave your device

SandPass uses the OPAQUE protocol and AES-256-GCM encryption. We can't read your data — even if we wanted to. Even if someone breaches our servers.

Install for Chrome How it works

Free forever · Open architecture · No account data stored

Everything you need. Nothing you don't.

A complete password manager that respects your privacy. Every feature built with security-first architecture.

Smart Autofill

Fills your credentials in one click. Detects login forms, multi-step flows (Google, Apple), credit cards, and identity fields.

Password Generator

Generate strong random passwords or memorable passphrases. Configurable length, character sets, inline in any form.

TOTP Authenticator

Built-in 2FA code generator with animated countdown. Auto-fills OTP fields. No separate authenticator app needed.

Zero-Knowledge

Your master password never leaves your device. OPAQUE protocol means even our servers never see your credentials.

Device Management

See all connected devices, revoke access instantly. Trusted devices skip 2FA for 30 days. Full control.

Cards & Identities

Store credit cards, secure notes, and identity info. Autofill payment forms securely (HTTPS only).

Import & Export

Migrate from Bitwarden, 1Password, or Chrome in seconds. Export your data anytime — it's yours.

Breach Detection

Check passwords against HaveIBeenPwned using k-anonymity. Your password never leaves your device — not even a hash.

6 layers of defense in depth

Security isn't a feature — it's the architecture. Every layer is designed so that compromising one doesn't compromise the rest.

OPAQUE (RFC 9807)

Password-authenticated key exchange. Your master password is never transmitted — not even hashed.

AES-256-GCM

Military-grade authenticated encryption. Every vault item encrypted with a unique IV.

Argon2id KDF

Memory-hard key derivation (64 MiB, 3 iterations). Resists GPU/ASIC brute-force attacks.

Dual-Wrap Keys

Symmetric key encrypted under both device key and account key. Lose one, keep the other.

HMAC-SHA256 Sessions

Sessions are signed server-side. Even if Redis is compromised, sessions can't be forged.

Replay Protection

Monotonic request counter per session. Prevents replay attacks even with intercepted tokens.

287 automated tests · 161 backend (pytest) + 126 extension (Vitest) · 0 known vulnerabilities · Security score: 9.5/10

How we compare

Feature	Bitwarden	1Password	LastPass
Zero-knowledge encryption			—
OPAQUE protocol (no password transmitted)	—	—	—
Open-source extension		—	—
Built-in TOTP authenticator
Breach detection (HIBP)
Smart autofill (multi-step)			—
No data breaches			—
Free tier		—

Frequently asked questions

What happens if SandPass gets hacked?

Nothing happens to your passwords. Thanks to zero-knowledge architecture, our servers only store encrypted blobs. Without your master password (which never leaves your device), the data is useless. Even we can't decrypt it.

What is the OPAQUE protocol?

OPAQUE (RFC 9807) is a password-authenticated key exchange protocol. Unlike traditional login where a hash of your password is sent to the server, OPAQUE ensures your password is never transmitted in any form — not even hashed. The server proves it knows your registration data, and you prove you know the password, without either side revealing secrets.

Can I import from my current password manager?

Yes. SandPass supports importing from Bitwarden, 1Password, Chrome, and generic CSV formats. The import happens entirely in your browser — your data never passes through our servers during migration.

What if I forget my master password?

Because of zero-knowledge design, we cannot recover your master password. This is a feature, not a bug — it means nobody can access your vault without your password. We recommend writing it down and storing it in a physical safe.

Is SandPass open-source?

Our entire encryption stack uses well-audited open-source libraries (OPAQUE via @serenity-kit/opaque, Argon2id via hash-wasm, AES-256-GCM via Web Crypto). We believe in transparent security — security through obscurity is no security at all.

Which browsers are supported?

SandPass currently supports Chrome and all Chromium-based browsers (Edge, Brave, Arc, Opera). Firefox support is on the roadmap.

Ready to take control of your passwords?

Install SandPass in 30 seconds. Import your existing passwords. Never worry about security again.

Install for Chrome — Free

Works on Chrome, Edge, Brave, Arc, and Opera

Your passwordsnever leave your device