One password to rule them all. Your master password is the single key that unlocks your entire vault — and it never leaves your device.
Your Pivlu account password (for accounts.pivlu.com) and your vault master password are completely separate. Compromising one doesn't affect the other.
Your master password is processed through PBKDF2 with 600,000 iterations and a random 256-bit salt. This makes brute-force attacks computationally infeasible.
PBKDF2 produces 512 bits, split into two keys: an auth key (sent as a hash for server verification) and an encryption key (kept locally for data decryption).
There is no "forgot password" flow for your master password. We cannot reset it because we don't have the decryption key. This is a security feature, not a limitation.
A cryptographically random 256-bit salt is generated during setup and stored on the server. The salt ensures the same password produces different keys for different users.
The password and salt are fed through PBKDF2-SHA256 for 600,000 iterations. This slow derivation makes each brute-force guess take milliseconds — even on GPUs.
The 512-bit output is split: first 256 bits become the auth key (hashed again, sent to server), last 256 bits become the encryption key (stays in browser, decrypts your data).
Remember one strong password — Vault handles the rest.
Set Up Your Vault