N-Pass

Zero-knowledge password manager — Chrome / Firefox / Edge extension.

N-Pass is a zero-knowledge password manager built and hosted in the European Union. Your master password and your Secret Key never leave your device. Everything in your vault — passwords, notes, cards, identities, TOTP codes, SSH keys — is encrypted with keys derived locally and never transmitted in the clear. WHY ANOTHER PASSWORD MANAGER Most password managers either (a) cost too much and shrink your free tier every year, or (b) self-hosted-only and a hassle. N-Pass is built for people who want the polish of 1Password with the EU-residency guarantees of Proton — without the price hikes, without the data-broker subsidiaries. KEY FEATURES • Zero-knowledge encryption (XChaCha20-Poly1305 + X25519 + OPAQUE-3DH + Argon2id) • Master Password + Secret Key model — even a server compromise cannot decrypt your vault • Autofill on any site, with phishing-aware host matching • Search your vault directly from the popup — filter by site, title, or username • Change passwords inline from the popup — no detour to the web app; changes sync across web + mobile within seconds • Built-in password generator (Ctrl+Shift+G in any page, or the ✨ button in the edit panel) • Watchtower-style security checks: weak passwords, password reuse, breached credentials (via HIBP k-anonymity), expired items, and duplicate logins detected automatically • TOTP / 2FA codes stored alongside the matching login — autofilled together • Passkey / WebAuthn support — sign in with Touch ID, Face ID, Windows Hello, or YubiKey • Save-on-submit prompt — N-Pass detects new credentials as you sign up • Item categories: logins, secure notes, credit cards, identities, SSH keys, bank accounts, WiFi networks, crypto wallet seed phrases, software licenses, TOTP-only entries • Shared vaults for families (up to 5 members) and businesses with role-based access • Watchtower for compromised websites — alerts when a service you use is breached • Import from 1Password (.1pux), Bitwarden (.json), LastPass (.csv), KeePass (.kdbx), browser CSV exports • Bitwarden-compatible export — your data is never locked in PRIVACY & TRUST • Built and hosted in the European Union by Nutri Nordic AB (Sweden) • Vault data stored on Neon Postgres in the EU region • No analytics, no marketing pixels, no third-party trackers in the extension • No background telemetry — the extension never reports your browsing to any server • Open about what we collect (account email only) in our Privacy Policy: https://npass.me/legal/privacy • Independent crypto-review for any change to the core encryption pipeline • EU GDPR compliant — Data Processing Agreement available at https://npass.me/legal/dpa HOW THE ENCRYPTION WORKS When you create an account, your master password and a 26-character Secret Key are combined locally and stretched with Argon2id (OWASP-floor parameters, ~1 second on a modern laptop). The result is your account key (K_account). This key encrypts your vault key, which encrypts your item keys, which encrypt your actual passwords. None of these keys are ever sent to our server. When you sign in, OPAQUE-3DH proves to the server that you know your master password — without revealing it. Your encrypted vault is returned and decrypted locally. Even if our server is compromised, an attacker sees only ciphertext. PERMISSIONS — WHY WE NEED EACH ONE • storage — keeps your encrypted vault cached locally so it loads instantly without re-fetching every page • alarms — schedules the vault auto-lock timer after the idle interval you set in settings • tabs — reads the URL of the focused tab so the popup can surface matching logins, and broadcasts "lock now" to other open tabs when you lock from one of them • idle — locks the vault automatically when your computer goes idle • host_permissions (https://*/*) — required for autofill to work on any site you've saved. We never send URLs anywhere — host-matching is computed locally in the extension WHAT WE DO NOT DO • Sell your data — we have no advertising business, no data partnerships • Track your browsing — the extension makes no requests except to N-Pass's own server when you save / load items • Run remote code — every line of JavaScript in this extension was reviewed and ships in this package • Lock you in — Bitwarden-compatible export means your data is portable from day one CROSS-SURFACE This extension pairs with the N-Pass web app at https://npass.me. Mobile apps for iOS and Android are in TestFlight / Internal Testing as of mid-2026; see https://npass.me for the launch list. SUPPORT • Help & documentation: https://npass.me/docs • Privacy policy: https://npass.me/legal/privacy • Terms of service: https://npass.me/legal/terms • Security questions / responsible disclosure: security@npass.me • General contact: hello@npass.me