Start for free
Pivlu AI Assistant
Suggested questions
Powered by AI. Answers are based on Pivlu product documentation.
Pivlu Vault
Get started today Get started

Master Password —
one key that never leaves your device

Your master password is the single passphrase that unlocks everything in your vault. It never leaves your browser in any form — no transmission, no server storage, no recovery mechanism. Designed so that only you can unlock your vault.

Set Up Your Vault
600K
PBKDF2 iterations
256-bit
Random salt
512
Bits derived per unlock
0
Transmitted to server

How the Master Password Works

More than a password — a cryptographic key derivation function that turns your passphrase into encryption keys.

Separate from Your Account Password

Your Pivlu account password (used to log in to accounts.pivlu.com) and your vault master password are completely separate credentials. Compromising your account password does not expose your vault. Someone who resets your account password still cannot open your vault.

PBKDF2 Key Derivation

Your master password is processed through PBKDF2-SHA256 (Password-Based Key Derivation Function 2) with a unique 256-bit random salt and 600,000 iterations. PBKDF2 is designed to be slow — intentionally. Each brute-force guess takes meaningful time even on dedicated hardware.

Two Derived Keys

PBKDF2 produces 512 bits of output. The first 256 bits become your encryption key — used locally in the browser to decrypt vault data, never transmitted. The second 256 bits become your auth key — hashed with SHA-256 and sent to the server only for identity verification.

No Recovery by Design

There is no "forgot master password" flow. We cannot reset your master password because we don't store it, can't derive it, and have no mechanism to substitute it. If you lose your master password, your encrypted vault data becomes permanently inaccessible. This is the security guarantee, not a bug.

Why 600,000 Iterations Makes a Difference

The math behind why your master password can be shorter than you'd expect and still be secure.

Deliberate Slowness

On modern hardware, 600,000 PBKDF2 iterations takes about 300ms in a browser. For you, unlocking your vault is barely noticeable. For an attacker testing millions of guesses per second, each guess costs the same 300ms — making a brute-force attack orders of magnitude slower than against a regular hashed password.

Unique Salt Per User

Each account gets a unique cryptographically random 256-bit salt generated at vault setup. The salt is combined with your master password before derivation. This means two users with the same master password produce completely different encryption keys — rainbow tables and precomputed attacks are useless.

OWASP-Recommended Standard

OWASP recommends at least 600,000 iterations of PBKDF2-SHA256 for password hashing (2023 guidelines). Vault meets this benchmark. The iteration count is a parameter we can increase in future updates as hardware improves — your master password re-derives the next time you unlock.

From password to decrypted vault in 3 steps

1

Enter Master Password

You type your master password on the vault unlock screen. The server fetches your salt and sends it to the browser. Your password never leaves the browser.

2

PBKDF2 Derives Two Keys

The browser runs 600,000 iterations of PBKDF2-SHA256 with your password and salt, producing 512 bits: an encryption key (stays in browser) and an auth key hash (sent to server for verification).

3

Vault Decrypts Locally

If the auth key hash matches, the server returns your encrypted vault data. The encryption key decrypts the key hierarchy, which decrypts individual items — all in your browser. Vault is now open.

Choosing a strong master password

Use a Passphrase

"correct-horse-battery-staple" is significantly stronger than "P@ssw0rd!" and much easier to remember. Four random common words produce over 50 bits of entropy — more than most complex passwords people create.

Write It Down

Write your master password on paper and store it in a physically secure location (home safe, bank safety deposit box). The risk of losing it permanently is higher than the risk of someone finding the paper — especially for a passphrase they wouldn't recognize as a Vault key.

Never Reuse It

Your master password protects everything in your vault. If it's the same as a password used elsewhere and that site is breached, an attacker who obtains the leaked password could use it to try to access your vault. Use a unique master password you've never used anywhere else.

One platform. Built for businesses, teams, and creators.

12 powerful products to build, manage, and grow — all under one roof.

Workspace Commerce Sites Analytics CRM Marketing Booking Forms Desk Consent Vault Studio
Get started for free