Skip to content
VoidNote
LastPass alternative

A LastPass alternative that was never breached — because we can't be.

LastPass suffered a catastrophic breach in 2022. Attackers stole encrypted password vaults — and because LastPass held enough metadata and used weak key derivation for some accounts, millions of vaults were crackable. VoidNote uses a different model: the server never holds a decryption key at all. There is nothing to steal.

What happened in the LastPass breach

  • ·Attackers accessed a cloud backup containing encrypted password vaults for all customers
  • ·Vault metadata — website URLs — was stored unencrypted, revealing which services users had accounts with
  • ·Accounts using weak master passwords or old PBKDF2 iteration counts (as low as 1 iteration) were crackable offline at scale
  • ·Threat actors began systematically draining crypto wallets tied to high-value accounts

Source: LastPass incident reports, August–December 2022; subsequent reporting by Brian Krebs and security researchers.

Why VoidNote can't be breached the same way

LastPass is a password vault — it stores credentials long-term on a server. That model requires the server to hold encrypted blobs tied to your identity, forever. VoidNote is a one-shot delivery tool — notes self-destruct after reading. There is no persistent vault of your secrets.

Encryption location
LastPass: Client-side, but vault uploaded and stored server-side
VoidNote: Client-side, AES-256-GCM. Server receives only ciphertext.
Key held by server?
LastPass: No, but derived key metadata and iteration count were stored
VoidNote: No. Decryption key lives only in the URL fragment — never sent to the server.
Persistent storage
LastPass: Yes — encrypted vault stored indefinitely
VoidNote: No — notes self-destruct after reading (max 24h)
Breach blast radius
LastPass: All vaults for all customers
VoidNote: Nothing readable — server holds ciphertext with no corresponding key
URL/metadata exposure
LastPass: URLs stored unencrypted in breach
VoidNote: No URL metadata stored — server knows only that a ciphertext exists
Identity linking
LastPass: Vault tied to email and account
VoidNote: Notes have no required identity. Anonymous creation supported.

Honest comparison: VoidNote is not a password manager

LastPass stores all your passwords permanently so you can access them any time. VoidNote does something different: it delivers secrets once, then destroys them. If you need a permanent credential store, use Bitwarden or 1Password for that purpose. Use VoidNote for the moment you need to share a credential — handing off a key to a colleague, provisioning a CI runner, or giving an AI agent temporary access.

VoidNote is the right tool for:

  • Sharing a password with a colleague
  • Delivering API keys to a developer or agent
  • Bootstrapping a CI/CD pipeline with credentials
  • Sending credentials that must not persist

Use a password manager for:

  • ·Storing your own passwords long-term
  • ·Autofilling login forms in your browser
  • ·Syncing credentials across all your devices
  • ·Managing a vault of hundreds of accounts

Feature comparison

Feature LastPass VoidNote
Client-side encryption Yes Yes — AES-256-GCM
Server holds decryption key No (but key metadata stored) Never
Persistent credential storage Yes No — auto-destructs
Breach history Yes — 2022 vault theft None
Secret sharing (one-shot) Via shared folders (persistent) Yes — single-use link
Zero-knowledge architecture Partial Yes — key never reaches server
Anonymous use No Yes
Self-destructing notes No Yes
CLI & SDK No Yes (6 languages)
Free tier Limited 5 free notes on signup

Start sharing secrets the secure way

No vault to breach. No persistent copy. Encrypts in your browser — key never reaches the server.

Get started free Verify the encryption model