Security

Why this is safer than password reuse

If one website gets breached, the password leaked there should not work anywhere else, because every site/account gets a different derived password.

• Per-site isolation: different domain → different password
• Per-account isolation: different username/email → different password
• No stored password vault: there isn’t a list of passwords to steal

Best practices (so you get the full value)

• Use a strong master secret (Vaultless Pass can generate one for you)
• Use a memorable phrase you won’t forget, and avoid reusing it elsewhere
• Double-check the domain before you fill (phishing protection starts with the URL)
• Keep a secure backup of your master secret for new devices (offline is best)

When a site forces a password change

Don’t “invent” a new password. Just bump the version and set the newly generated password on that site.

• Increase the version for that site/account
• Click Fill and set the new password on the website
• If you later need the old password, decrementing the version is not recommended—treat versions as a history of rotations

Limits (honest but friendly)

• No recovery service: if you lose your phrase/master secret, Vaultless Pass can’t recover your passwords (no server)
• Not a magic shield: malware on an unlocked device can still steal secrets
• Some sites have weird rules: you may need per-site overrides for strict password policies