wePass encrypts every password in your browser with AES-256-GCM before it ever reaches our servers. Zero-knowledge — we store only ciphertext.
Every layer of the stack designed around one principle — your data belongs to you alone.
Passwords are encrypted in your browser before upload. The server stores only ciphertext — we physically cannot read your data, ever.
Authenticated encryption with a unique 96-bit IV per entry. Built-in tamper detection — any modification to ciphertext is cryptographically rejected.
Your password runs through 600,000 SHA-256 iterations to produce your vault key. Brute-force is computationally infeasible.
A separate PIN gates every reveal and copy action. Stored as a bcrypt hash — independently protects your session even if your account is compromised.
Login locked after 10 attempts / 15 min. PIN locked after 5 attempts. Server-side cooldown on all auth endpoints.
Full bcrypt compare always runs regardless of whether the email exists. Prevents timing attacks that can reveal valid accounts.
Three steps. Zero plaintext ever sent to our servers.
Your password runs through 600k PBKDF2 iterations in your browser to derive a 256-bit AES key. This key never leaves your device.
Each credential is encrypted client-side with AES-256-GCM and a unique IV before upload. The server receives and stores ciphertext only.
Enter your 4-digit PIN to reveal or copy passwords. Your vault key lives only in sessionStorage — cleared when you close the tab.