A full privacy suite — password generation, TOTP authentication, email masking, an encrypted vault, and breach checking. Everything runs on your device. Nothing leaves without your action.
Every tool in SPCTR is built with the same zero-compromise privacy architecture. Nothing leaves your device without your explicit action.
CSPRNG-powered generation with live entropy meter. Configurable length, character sets, and rules. Password history stored in-memory only.
Open tool →Full RFC 6238 implementation using Web Crypto API. HMAC-SHA1 computed on-device. Live countdown arcs, no permissions needed.
Open tool →Generate alias addresses at @spctrmail.com. Enable, disable, or block any mask at any time. Full forwarding stats. No behavioral profiling.
Open tool →AES-256-GCM encryption with PBKDF2 key derivation and automatic key rotation. Master password never leaves your device. A separate Data Encryption Key (DEK) rotates on a randomised schedule, on breach detection, or on demand — so your encrypted data never looks the same twice.
Open tool →Check if your email or password has appeared in a known data breach. Uses k-anonymity — only a partial hash prefix is ever transmitted. Your credentials never leave your device.
Open tool →The SPCTR Browser Extension brings your entire privacy suite into your toolbar — free on every plan. Autofill, vault access, live 2FA, email masks, and password generation without switching tabs.
Vault access, autofill, live 2FA codes, email masks, and password generation — all from your browser toolbar. Install once, never switch tabs for passwords again.
SPCTR is designed around a single principle: your private data belongs to you. Every architectural decision flows from that.
Your master password never leaves your device. All encryption and decryption happens locally using the Web Crypto API before any data is transmitted.
No contacts, microphone, or location — ever. Camera access is requested only for QR code scanning in the TOTP tool, and only when you tap scan. Vault is encrypted with a rotating Data Encryption Key (DEK) — auto-rotated on a random schedule, immediately on breach detection, or on demand. No data leaves your device unless you enable sync. Vault data is stored in IndexedDB — unaffected by cache clearing.
No third-party analytics SDK. No crash reporters that phone home. No A/B testing infrastructure. No advertising network integrations.
SPCTR sets zero application cookies. Infrastructure cookies from Cloudflare
(e.g. __cf_bm, cf_clearance) are set by Cloudflare's
network solely to protect against bots — not by SPCTR, containing no
personal usage data.
Every tier includes the full privacy architecture. Privacy is not a premium feature — it's the foundation.
No proprietary crypto. No homegrown security algorithms. SPCTR is built on open, auditable standards used by the security community.