MrW Vault Firefox

MrW Vault

Self-hosted Zero Knowledge Password Manager

Features & Capabilities

🛡️ MrW Vault Security and Architecture Documentation

MrW Vault is a powerful, cross-platform, and cloud-based password manager where your data is encrypted on your device using "Zero-Knowledge" architecture before being transmitted to the server.

This document provides technical details on how the system is designed, how it protects your data, and how the end-to-end encryption chain operates. 🏗️ 1. General Architecture (Software Stack)

MrW Vault features a performance-oriented stack built on modern web standards and security APIs:

Backend (Server): Powered by ElysiaJS & Bun, offering high I/O, low latency, and native WebSocket support.

Database: PostgreSQL, managed via Prisma ORM.

Frontend (Client/Extension): Built with React, Vite, and Tailwind CSS. Packaged as a Chrome/Edge Extension (Manifest V3) using CRXJS.

Cryptography: Utilizes the browser's native and optimized Web Crypto API (AES-256-GCM, PBKDF2).

Server Management (Reverse Proxy): Secure HTTPS connections (SSL/TLS) managed via Nginx.

🔒 2. What is Zero-Knowledge Architecture?

The "Zero-Knowledge" approach is a security principle where the server (and the service provider) cannot read user data.

In MrW Vault:

Your passwords, credit card info, or notes are never sent to the server as plaintext.

Encryption occurs inside your browser (client-side) using your Master Password.

The server only stores encrypted strings (ciphertext) and initialization vectors (IV). Even if our server were compromised, attackers could not read your data.

🔑 3. Cryptographic Lifecycle

When a user registers or logs in, the following cryptographic chain occurs in the background: Step A: Master Key Derivation

The user enters an email and a Master Password.

The user's unique KDF Salt is retrieved from the server (a random 16-byte salt is generated during registration).

The browser processes the Master Password and Salt using the PBKDF2-HMAC-SHA256 algorithm with 600,000 iterations.

This results in a 256-bit Master Key, which is kept only in volatile memory (sessionStorage/background service worker) and is never sent to the server.

Step B: Authentication Hash

How does the server verify you without knowing your Master Password?

The derived Master Key is processed again through PBKDF2 (using a different fixed salt and 600,000 iterations).

The resulting Auth Hash is sent to the server.

The server compares this with the stored hash to grant access via a secure JWT Token.

🛡️ 4. In-Vault Encryption Process

When you add a new entry (e.g., a Netflix password):

The app converts your data into a standard JSON object.

The Web Crypto API generates a random 12-byte Initialization Vector (IV) for each operation.

The app encrypts the JSON data using the Master Key, the random IV, and the AES-256-GCM algorithm. GCM mode not only encrypts but also appends an Authentication Tag.

The resulting Ciphertext (including the Tag) and IV are sent to the server. Only the entry type (Login, Note) and Folder ID remain unencrypted for organizational purposes.

Decryption Process

The browser retrieves the ciphertext and IV from the server.

The browser decrypts the data using the Master Key in its memory.

Thanks to GCM mode, if the encrypted data has been altered in any way (even a single bit), a cryptographic error is thrown, and decryption stops immediately (Tamper-proof).

🌍 5. Environment and Cross-Platform Security

Manifest V3: The extension adheres to modern Chrome security standards.

Shadow DOM: Save/Update pop-ups injected into web pages are isolated from the page's own CSS/JS, preventing CSRF and Clickjacking attacks.

Background Service Worker: Critical operations occur in an isolated background process. Content scripts cannot directly access keys or decrypted vault data.

JWT & XSS Protection: API authentication uses encrypted JWTs. External data is strictly sanitized via DOMPurify before rendering to prevent XSS attacks.

Summary: With MrW Vault, your data is locked with industry-standard AES-256 before it ever leaves your browser, and the only key (your Master Password) remains solely in your mind.

User Growth & Download Statistics

Manifest V3 Add-on
By:
Kadir Çelebi
Daily users:
-
Version:
1.0.26.0 Last updated: 2026-03-02
Version code:
6164372
Creation date:
2026-02-27
Risk:
High risk impact High risk likelihood
Permissions:
Host permissions:
  • http://*/*
  • https://*/*
Content scripts matches:
  • <all_urls>
Size:
225.32KB
URLs:
Privacy policy
Full description:
See detailed description
Source:
Firefox Add-ons Store
Data ingested on:
2026-07-16
Compare stats and ranking:

Contact the developer

Chrome-Stats does not own this Firefox add-on. Please use these information below to contact the Firefox add-on developer.
Developed by:
Kadir Çelebi
Firefox Add-ons Store
https://addons.mozilla.org/firefox/addon/mrw-vault/

Is MrW Vault Safe?

Risk impact
Risk impact measures the level of extra permissions an extension has access to. A low risk impact extension cannot do much harms, whereas a high risk impact extension can do a lot of damage like stealing your password, bypassing your security settings, and accessing your personal data. High risk impact extensions are not necessarily malicious. However, if they do turn malicious, they can be very harmful.

MrW Vault requires some sensitive permissions that could impact your browser and data security. Exercise caution before installing.

Risk impact analysis details
  • Critical Grants access to browser tabs, which can be used to track user browsing habits and history, presenting a privacy concern.
  • Critical ****** ****** ** *** ********* ****** * *********** ******** **** ** ** *** ******* *** ****** **** **** *** ******* *****
  • High ****** ********* ** * ****** ******** ******** ********** * ******* ******* *****
  • High ******* ******* **** *** ****** ***** *** ***** ** ******* **** ********* ********* ** * *********** *****
Risk likelihood
Risk likelihood measures the probability that a Firefox add-on may turn malicious. This is determined by the publisher and the Firefox add-on reputation on Firefox Add-ons Store, the amount of time the Firefox add-on has been around, and other signals about the Firefox add-on. Our algorithms are not perfect, and are subject to change as we discover new ways to detect malicious extensions. We recommend that you always exercise caution when installing a Firefox add-on.

MrW Vault may not be trust-worthy. Avoid installing if possible unless you really trust this publisher.

Risk likelihood analysis details
  • High This extension has low user count. Unpopular extensions may not be stable or safe.
  • Medium **** ********* *** ***** ** *** **** * ******* *** ********** *** *** ** ****** ** *****
  • Low **** ********* *** ******* **** **** * ****** **** ***** ******** *** **** ****** ** ** ****** *** *****
Extension Guard
Extension Guard

Discover every extension in use, analyze risks, and enforce blocking policies with Extension Guard

Secure Your Browser
Upgrade to see full risk analysis details

Best MrW Vault Alternatives

Here are some Firefox add-ons that are similar to MrW Vault: