Verify Zero-Knowledge Yourself
Don't trust us - verify it yourself.
Why verify? Zero-knowledge means your data is encrypted BEFORE it leaves your device. This tutorial shows you how to prove it using your browser's built-in tools.
1Open Developer Tools
Every modern browser has Developer Tools (DevTools) built in. Here's how to open them:
- Chrome / Edge:
Cmd + Option + I - Firefox:
Cmd + Option + I - Safari:
Cmd + Option + I(First enable in Safari > Settings > Advanced > "Show features for web developers")
- Chrome / Edge / Firefox:
Ctrl + Shift + IorF12
2Go to the Network Tab
Once DevTools is open, click on the "Network" tab at the top. This shows all requests your browser makes to the server.
Tip: Check the "Preserve log" checkbox to keep the history when the page reloads.
3Test 1: Create a Vault
With the Network tab open, create a new vault named "Test Vault". Then look for the request to /api/vaults.
Click on the request, then look at the "Payload" or "Request" tab (name varies by browser).
{
"encryptedData": {
"version": 1,
"alg": "AES-256-GCM",
"iv": "aBcD1eF2gHiJ3kL4mN5oP6",
"ciphertext": "xY9Zj8K7lM6nO5pQ4rS3tU2vW...",
"tag": "a1B2c3D4e5F6g7H8"
}
}Observation: "Test Vault" appears NOWHERE in the request. Only encrypted gibberish is sent to the server.
4Test 2: Add a Password
Now add an item with:
- Username:
myEmail@test.com - Password:
SuperSecret123!
Look for the request to /api/items.
Observation: Neither "myEmail@test.com" nor "SuperSecret123!" appear anywhere in the request. Only encrypted data is sent.
5Test 3: Search All Requests
For the ultimate test, use the search function to look for your plaintext data across ALL requests:
- macOS:
Cmd + F - Windows:
Ctrl + F
Search for: Test Vault or SuperSecret123!
Result: No matches found. Your plaintext data never left your device.
6Understanding the Encrypted Data
Here's what each field in the encrypted data means:
| Field | Purpose |
|---|---|
version | Encryption format version |
alg | Algorithm used (AES-256-GCM) |
iv | Initialization Vector (different for every encryption) |
ciphertext | Your actual data, transformed into unreadable gibberish |
tag | Authentication tag (detects tampering) |
7What the Server Sees vs What You See
| You see | Server receives |
|---|---|
| Work Passwords | xY9Zj8K7lM6nO5pQ4... |
| john@gmail.com | mN9oPq8rS7tUvW6x... |
| MyP@ssw0rd! | aBcD1eF2gHiJ3kL4... |
| https://bank.com | qR5sT6uV7wX8yZ9a... |
Conclusion
You just proved that PasswordOwl uses true zero-knowledge encryption.
Your vault names, usernames, passwords, and notes are encrypted in your browser BEFORE they're sent to our servers. Even if our servers were compromised, attackers would only find encrypted gibberish that is computationally impossible to decrypt without your master password and secret key.
Bonus: What About Your Master Password?
During login, your master password is sent over HTTPS and verified using PBKDF2 (100,000 iterations). The server only stores a salted hash — never your plaintext password. Your vault data remains encrypted and inaccessible to the server at all times.
Your password is protected in transit by TLS encryption and stored as a PBKDF2 hash. Even with server access, your vault data cannot be decrypted without your master password and secret key.