Changelog
What's changed.
Every update, fix, and feature — documented. Lock My Vault is actively maintained and continuously improved.
Replaced PBKDF2-based KDF with real Argon2id via hash-wasm (WASM). RFC 9106 compliant: 64 MB memory, 3 iterations, parallelism 1.
Memory-hard key derivation resists GPU and ASIC brute-force attacks — a fundamental upgrade over PBKDF2.
hash-wasm library (MIT) inlined — WASM binary embedded as base64, zero external requests.
Backwards compatible: Old vault files open via legacy PBKDF2 fallback, then auto-upgrade to Argon2id on save.
KDF badge in sidebar: green Argon2id or yellow PBKDF2 (legacy).
CSP updated: added wasm-unsafe-eval for WASM. All other restrictions unchanged.
Unlock always performs exactly 2 KDF derivations. Dummy derivation runs when no decoy exists, preventing timing-based detection.
Removed dead code in decoy unlock path.
Minimum master password raised from 8 to 12 characters.
Common password blocklist added — passwords like "password123" are now rejected.
Strength scoring penalizes single-class passwords (all lowercase, all digits).
Integrity hash mandatory for saved vaults — removing it now triggers the tamper warning.
Clipboard countdown timer now working — shows 30s countdown after copying a password.
Vault file format v4 with explicit kdf field.
Removed Google Fonts CDN — landing page uses system fonts. Zero external requests.
Added CSP to landing page — matches app's strict policy.
All sidebar navigation items replaced with clean, meaningful SVG icons.
Sidebar footer action buttons (Save, Lock, Decoy, Import, Export) all have matching SVG icons.
Entry row action buttons all use SVG icons — copy, user, link, 2FA, eye, edit, trash.
Copy password — copies silently, auto-clears clipboard after 30s.
Copy username — one tap to copy. Shown only when entry has a username.
Copy URL — copies the site URL directly. Shown only when entry has a URL.
Copy 2FA code — copies the live TOTP code. Toast shows seconds remaining before expiry.
Each custom category now has an edit button — opens modal pre-filled with current name and icon.
Delete button per custom category. Entries using it are moved to Other automatically.
Built-in categories are not affected — only custom ones can be edited or deleted.
The 30s countdown display removed. Auto-clear still happens silently after 30 seconds — security preserved.
Export passwords as CSV — compatible with Google Passwords, Bitwarden, and 1Password import.
Export as Plain Text — numbered, labeled entries. Good for printing and physical backup.
Scope selector — export all entries or current filtered category only.
Live preview of export format before download. Passwords masked in preview.
Red security warning shown before every export — exported files are unencrypted plain text.
Accessible from sidebar and via ⌘K command palette.
Auto-lock inactivity timer increased from 10 minutes to 30 minutes.
Lock bar and timer display updated accordingly.
FixClicking outside an entry or note modal, pressing Escape, or clicking Cancel now warns before discarding unsaved data.
FixNew entries: warns if any field contains content. Edited entries: warns only if something actually changed from the saved original.
FixAll four exit paths covered: overlay click, Escape key, X button, Cancel button.
FixAuto-lock no longer fires mid-edit. If an entry or note modal is open when the timer expires, the timer resets and a warning toast appears instead of locking.
FixAdded test mode: set window.__TEST_LOCK = true in console before reload to reduce timer to 10 seconds for testing.
FixResolved JS syntax error that caused the entire app to fail parsing — triggerOpen() appeared undefined.
Full code audit: brace balance, duplicate functions, missing IDs, dangling intervals — all clean.
HighVault creation now enforces minimum password strength (score ≥ 2) — not just length.
HighSensitive globals cleared after save: __pendingDecoy nulled, decrypted variable nulled after assignment to vault.
MediumLegacy PBKDF2 fallback removed — dead code eliminated, all users migrated to Argon2id.
LowrevealedNotes set cleared on lock — notes no longer stay revealed after locking.
LowTOTP preview interval stopped on lock — live codes stopped running after vault locks.
Search debounced at 150ms — DOM rebuilds reduced ~80% during typing. Timer cleared on vault lock.
Badge updates now single-pass O(n) — was O(n×k). One loop builds a count map, all badges assigned from it.
Password reveal toggle added to unlock screen — eye button on master password and confirm fields.
Health dashboard cards now clickable — click Weak or Reused card to expand a filtered entry list below.
Text contrast improved: --ink2 brightened to #9090b8, --muted to #4a4a6a.
Dark text input fix: -webkit-text-fill-color added to all inputs — fixes Safari/iOS forced dark text.
Secure Notes expanded to 9 categories: added Crypto/Seeds, License & Serial, Identity & Documents.
Mobile password reveal fixed — pass-cell now spans full width on row 3, always visible.
App installable on Android, iPhone, and desktop — works fully offline once installed.
Added manifest.json, sw.js service worker, icon.svg, icon-192.png, icon-512.png.
CSP updated: added worker-src 'self' and manifest-src 'self' — without these the service worker was blocked.
Sidebar becomes a slide-over drawer on mobile — hamburger button (☰) in topbar, tap overlay to close.
Entry rows reflow to card layout on mobile — site name, tags, username, and action buttons in a readable stack.
Modals and command palette slide up from the bottom on mobile (sheet style).
Added legacy PBKDF2 fallback so old vaults could be opened and migrated to Argon2id on next save.
Replaced single PBKDF2 with multi-phase KDF: PBKDF2-SHA256 × 310k → PBKDF2-SHA512 × 100k → XOR memory mix → AES-256-GCM.
Unlock takes 1-2 seconds by design — spinner and hint shown during key derivation.
SHA-256 hash of vault contents stored inside encrypted payload — detects external tampering on open.
Fixed false positive: both compute and verify use same method (shallow copy + delete hash + stringify).
Second password opens a completely different fake vault — both passwords produce valid decryptions.
Embedded in same .vault file. Replace flow warns that old decoy password stops working after save.
Store Base32 TOTP secrets encrypted in vault entries. Live 6-digit code generation via HMAC-SHA1 (RFC 6238).
30-second countdown with color: green > yellow > red. Live preview in entry modal while setting up.
Fully offline — zero network requests. Compatible with Google Authenticator and any RFC 6238 app.
New section for sensitive text — recovery keys, SSH keys, seed phrases, serial numbers, API tokens.
9 categories with distinct color tags. Content hidden by default with per-note reveal toggle.
Fully encrypted inside same .vault file. Clipboard auto-clear after 30 seconds.
AES-256-GCM encryption via Web Crypto API — authenticated encryption, no external libraries.
PBKDF2-SHA256 key derivation at 310,000 iterations. Random 128-bit salt + 96-bit IV per save.
Strict CSP: connect-src 'none' blocks all outbound network requests permanently.
XSS hardened — all user data rendered via textContent, never innerHTML.
Password entries: add, edit, delete. 12 built-in categories. Custom categories with emoji/symbol icons.
Password generator (22 chars, rejection sampling, no modulo bias). Strength meter with 6 levels.
File versioning — every save increments filename (vault_v1.vault, v2, v3...). Version stored inside encrypted vault.
Clipboard auto-clear after 30 seconds. Auto-lock after 10 minutes of inactivity.
Command palette (⌘K). Password health dashboard. Google Passwords CSV import with duplicate detection.