Offlinepass Chrome extension icon

Offlinepass

👥 43 users
📦 v1.1.0
💾 1.45MiB
📅 2026-04-27
View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

OfflinePass is a deterministic password manager that turns one Master Key
into a unique, secure password for every site — entirely in your browser.
No server. No vault. No sync. Lose your device and you can recover every
password on a fresh install just by remembering one phrase.

──────────────────────────────────────────
THE WHOLE ALGORITHM, ON ONE SCREEN
──────────────────────────────────────────

msg = "github.com" + "|" + "you@example.com" + "|2026|0"
mac = hmac-sha256(masterKey, msg)
password = base58(mac).slice(0, 16)
// → 0$87booSaeaKYnhgEq

That's it. Three inputs (host, identity, year), one HMAC-SHA256, base58
encoded and truncated to 16 characters. Same Master Key + same site +
same identity always produces the same password — on any device, on
any version, forever.

──────────────────────────────────────────
WHY OFFLINEPASS
──────────────────────────────────────────

• No server, ever
Every password is computed locally. Open the network tab and watch —
there are zero requests after the popup loads.

• Nothing to back up
No vault, no sync, no database. The only secret is your Master Key,
and only you remember it.

• Deterministic
Forget syncing across devices. Type the same Master Key on a fresh
install and you instantly recover every password.

• Audit the math, not us
HMAC-SHA256 + Base58. ~94 bits of entropy in the truncated output.
The whole thing is a few lines of TypeScript you can read in one
sitting. Source on GitHub: github.com/sireto/offlinepass

• Zero tracking
No analytics, no fingerprinting, no telemetry, no cookies you didn't
ask for. Apache 2.0 license, free for any use.

──────────────────────────────────────────
HOW TO USE IT
──────────────────────────────────────────

1. Click the OfflinePass icon (or press Ctrl/Cmd+Shift+F).
2. Type your Master Key.
3. The current site is filled in automatically; type your username.
4. The 16-character password appears in the result card. Click copy.

That's the whole flow. Same site, same identity, same Master Key →
the same password every time.

──────────────────────────────────────────
OPTIONAL: SAVE YOUR MASTER KEY WITH A PIN
──────────────────────────────────────────

If you don't want to retype your Master Key on every visit, you can
encrypt it locally with a PIN:

• Key derivation: PBKDF2-HMAC-SHA256, 250,000 iterations, 16-byte
random per-MSK salt.
• Cipher: AES-GCM with a 12-byte random IV. The auth tag is what tells
us a wrong PIN was entered — there is no separate hash to crib
against.
• Storage: localStorage on this device only. Nothing is synced or sent
over the network.

Enter the wrong PIN and the GCM auth tag fails — the ciphertext is
useless without it. PINs are short, so a long PIN (or no PIN at all)
is stronger; we explain the trade-off in SECURITY.md.

──────────────────────────────────────────
PERMISSIONS
──────────────────────────────────────────

This extension requests one permission:

• activeTab — used only to read the URL of the tab where you opened
the popup, so OfflinePass can pre-fill the host field. The URL never
leaves your browser.

──────────────────────────────────────────
PRIVACY
──────────────────────────────────────────

OfflinePass collects nothing. There is no analytics endpoint, no
fingerprinting, and no remote configuration. The extension makes zero
network requests after install. The full source is published under
Apache 2.0 — verify it yourself.

──────────────────────────────────────────
LINKS
──────────────────────────────────────────

• Source code: https://github.com/sireto/offlinepass
• Web app: https://offlinepass.com
• Security policy: https://github.com/sireto/offlinepass/blob/main/SECURITY.md
• License: Apache 2.0

Tags

Productivity/tools password productivity/tools

Privacy Practices

Not being sold to third parties, outside of the approved use cases
Not being used or transferred for purposes that are unrelated to the item's core functionality
Not being used or transferred to determine creditworthiness or for lending purposes

🔐 Security Analysis

This extension hasn't been security-scanned yet.

Similar Extensions

More in Productivity/tools →

Gk Vimflow

6209.1M+ users
AI-powered invoice autofill for the IOCL Vendor Invoice Management (VIM) portal. Upload a PDF, auto-fill the add-bill fo…
Productivity/tools AI

Claude

10M+ users
Claude in Chrome (Beta)
Productivity/tools AI

Zotero Connector

8M+ users
Save references to Zotero from your web browser
Productivity/tools