The problem
Browser-saved passwords and plain-text notes offer convenience but limited protection. Without encryption and breach awareness, users cannot tell if a password has already been exposed in a public data leak.
BSc Cyber Security & Digital Forensics ยท v1.2
Protect credentials with military-grade encryption
Secure Password Vault is a Chrome extension that stores your logins behind a single master password. Everything is encrypted on your device using AES-256-GCM โ no cloud server ever sees your secrets. Before you save a password, we check it against millions of known breached passwords.
0
Bit AES encryption
0
PBKDF2 iterations
0
Passwords sent to our servers
Password Vault โ Unlocked
๐ต
๐
โ Breach check passed โ password not found in HIBP
The challenge
Why password security matters
Reusing passwords across websites is one of the leading causes of account takeover. When a site is breached, attackers test stolen credentials everywhere โ a threat studied in cyber security and digital forensics programmes worldwide.
Our solution
A local encrypted vault with a master password, industry-standard cryptography, and real-time checks against the Have I Been Pwned database โ teaching secure design while remaining practical for everyday use.
Capabilities
Everything the extension does โ explained
Each feature was implemented with a specific security goal. Nothing is decorative.
Encrypted vault (AES-256-GCM)
Your saved passwords are stored as ciphertext in Chrome local storage. A unique key is derived from your master password using PBKDF2 with 200,000 iterations and SHA-256.
Authenticated encryption prevents tampering with vault data.
Breach detection (HIBP)
When you add or edit a password, we query the Pwned Passwords API using k-anonymity: only the first five characters of the SHA-1 hash leave your browser.
Full password never transmitted ยท Add-Padding enabled
Master password verification
Your master password is never stored. We keep an encrypted verification token ("VAULT_VERIFY") so login checks succeed only with the correct passphrase.
Minimum 8 characters ยท Breached master passwords rejected
Secure password generator
Generates 18-character passwords using crypto.getRandomValues with
unbiased character selection โ avoiding modulo bias common in weak generators.
Clipboard auto-clear
Copied usernames and passwords are wiped from the clipboard after 45 seconds to reduce the risk of shoulder surfing or clipboard-history malware.
Login rate limiting
After five failed unlock attempts, the vault enforces a 60-second cooldown โ a practical defence against offline brute-force guessing on the verification token.
Add, edit, search, delete
Organise credentials by website and username. Search instantly. Edit entries in-place with the same breach checks applied on save.
Current tab helper
When adding a new entry, one click fills the website field from your active browser tab hostname โ faster and fewer typos.
100% local storage
No registration, no sync server, no analytics on your vault. Only breach checks contact the internet โ and even then, not your full password.
Breach intelligence
How the data-breach check works
We integrate Troy Hunt's Have I Been Pwned Pwned Passwords service โ a database of hundreds of millions of passwords seen in real breaches.
- Your password is hashed with SHA-1 locally in the browser.
- Only the first 5 characters of the hash are sent to the API.
- The server returns all matching hash suffixes; we compare locally.
- If matched, you see how many times that password appeared in breaches.
- Saving is blocked unless you explicitly acknowledge the risk.
// k-anonymity โ password never in URL
const hash = sha1(password);
prefix = hash.slice(0, 5);
suffix = hash.slice(5);
// GET api.pwnedpasswords.com/range/{prefix}
if (match) warn("Found in HIBP");
const hash = sha1(password);
prefix = hash.slice(0, 5);
suffix = hash.slice(5);
// GET api.pwnedpasswords.com/range/{prefix}
if (match) warn("Found in HIBP");
User journey
How to use Secure Password Vault
From installation to locking your vault โ a complete walkthrough.
1
Download & install
Download the ZIP from this website, extract it, and load it in Chrome via
chrome://extensions with Developer mode enabled. Pin the extension for quick access.
2
Create your master password
Choose a strong, unique master password (minimum 8 characters). It is checked against breach databases. This single password unlocks your entire vault.
3
Save credentials
Open the "Add New" tab, enter website, username, and password โ or generate one. Breach check runs automatically. Compromised passwords show a clear warning.
4
Unlock, copy, lock
Unlock when needed, copy credentials (clipboard clears in 45s), and press Lock when finished so secrets leave memory.
FAQ
Common questions
No. By design, there is no back door. If you forget your master password, the encrypted vault
cannot be decrypted. You may reset the vault (which deletes all data) only after confirming
your current master password.
Vault contents stay in Chrome local storage on your device. The only network call is the
optional breach check, which uses k-anonymity and never sends your complete password.
Any Chromium-based browser that supports Manifest V3 extensions โ Google Chrome, Microsoft Edge,
Brave, and others. Firefox is not supported in this version.
Secure Password Vault was developed by Arham Ikhlaq, Asad Abbas, and Murtajiz Ali Khan under the
supervision of Dr. Zain Ul Abadin. See the
Team page for full credits.
Ready to secure your passwords?
Free for personal and academic use. Install in under two minutes.
Download v1.2.0 Meet the team