possum

what "zero-knowledge" actually means

the master password never leaves your browser. the server only ever sees encrypted blobs. that has consequences — both why it's safe and why we can't help if you forget.

4 steps~3 min
  1. 1

    encryption happens in your browser

    your master password unlocks an aes-gcm key (derived via pbkdf2). every entry encrypts and decrypts in javascript on your computer.

  2. 2

    the server stores ciphertext only

    what posts to wymzy is the encrypted blob — random-looking bytes that mean nothing without the key. we can't read your passwords because we don't have the key.

  3. 3

    recovery codes wrap the key separately

    each of your 10 codes wraps the same master key under a different unlock path. that's how recovery works without the server ever seeing your master password.

  4. 4

    the cost — no "reset password" button

    if you forget the master password and lose the recovery codes, no one can help. that's the trade. it's also the reason you can trust the vault with a client's stripe login.

    tip

    use a real password manager (1password, bitwarden) to store your possum master password and recovery codes. yes, even a password manager has a master password — keep that one in your head and on paper in a safe place.

was this article helpful?
yesno

still stuck?

we respond to every message within 24 hours.

contact us

more in possum

all possum articles