LEMONADE PASSWORD MANAGER
v0.3.11 // docs.lemonadepass.app
Your secrets. Encrypted. Yours.
v0.3.11// GETTING STARTED
Sign Up
Sign in with your Google account and you're ready to use Lemonade. If you need encrypted environment variable storage, you can set up an Env Vault master password later.
First Password
Add your first credential to the vault. Store usernames, passwords, URLs, and notes β all encrypted and synced across devices.
Install Extension
Get the Chrome or Firefox extension. It auto-fills credentials on sites that match URLs saved in your vault.
// PASSWORD VAULT
AES-256 Encryption
Your credentials are encrypted and stored securely in Firebase. Sensitive fields are protected with server-side encryption.
Auto-fill
Browser extension detects login forms and fills credentials instantly. Supports Chrome and Firefox.
Security Audit
AI-powered analysis detects weak and reused passwords. Get actionable recommendations to strengthen your vault.
Secure Sharing
Share credentials with other Lemonade users. Select a contact, share, and they receive it securely in their vault.
// Env Vault Encryption (client-side, zero-knowledge)
master_password = user_input()
salt = crypto.getRandomValues(new Uint8Array(16))
key = await crypto.subtle.deriveKey(
{ name: 'PBKDF2', salt, iterations: 100000, hash: 'SHA-256' },
masterKeyMaterial,
{ name: 'AES-GCM', length: 256 }
)
iv = crypto.getRandomValues(new Uint8Array(12))
ciphertext = await crypto.subtle.encrypt(
{ name: 'AES-GCM', iv },
key, plaintext
)
// master_password and key NEVER leave the device
// Password Vault: encrypted server-side via Cloud Functions// ENV VAULT
Environment Variable Storage
Store and manage your environment variables securely. Drag and drop your project folder and Lemonade automatically extracts all .env files. They are encrypted and synced across your devices, never stored in plaintext.
Drag & drop your project folder here
.env
Default
.env.local
Local
.env.production
Production
.env.development
Development
// SECURITY AUDIT
Compromised
Passwords flagged as compromised by AI analysis. Change them immediately.
Weak
Passwords classified as weak or very weak. Consider updating them.
Medium
Passwords with acceptable strength that could still be improved.
Strong
Passwords with high entropy rated as strong by AI-powered analysis.
// BROWSER EXTENSIONS
Chrome Extension
- Download from Chrome Web Store or load unpacked
- Sign in with your Lemonade account
- Click the extension icon to auto-fill credentials
{
"manifest_version": 3,
"name": "Lemonade Password Manager",
"version": "0.3.11",
"permissions": ["activeTab", "storage", "identity"],
"background": {
"service_worker": "background.js"
}
}Firefox Extension
- Install from Firefox Add-ons or load as temporary extension
- Sign in with your Lemonade account
- Click the extension icon to auto-fill credentials
Firefox uses browser.* APIs with native Promises instead
of chrome.* callbacks. Background uses scripts array instead of service_worker.
// SECURITY ARCHITECTURE
βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LEMONADE CRYPTO PIPELINE (ENV VAULT) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Env Vault Master Password β
β β β
β βΌ β
β ββββββββββββ β
β β PBKDF2 β iterations: 100,000 β
β β SHA-256 β salt: random per user β
β ββββββ¬ββββββ β
β β β
β βΌ β
β Derived Key (256-bit) β
β β β
β βΌ β
β ββββββββββββββββ β
β β AES-256-GCM β iv: random per operation β
β β Encrypt β auth tag verified β
β ββββββββ¬ββββββββ β
β β β
β βΌ β
β Ciphertext β Firebase Firestore β
β β
β β Master password NEVER leaves device β
β β Derived key stored in sessionStorage only β
β β Server stores ONLY encrypted data β
βββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β PASSWORD VAULT β
β β
β Password entries are encrypted server-side β
β via Firebase Cloud Functions with managed keys β
β Data in transit protected by HTTPS/TLS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββAES-256-GCM
Galois/Counter Mode provides both confidentiality and authenticity. Each encryption operation uses a unique 96-bit IV. The 128-bit authentication tag ensures data integrity and detects tampering.
Zero-Knowledge (Env Vault)
The Env Vault uses true zero-knowledge architecture. Your master password never leaves your device. Encryption and decryption happen entirely in the browser using Web Crypto API. The server stores only ciphertext.
Key Derivation: PBKDF2
PBKDF2 with 100,000 iterations of SHA-256 transforms your Env Vault master password into a 256-bit encryption key. A random salt per user prevents rainbow table attacks.
// FAQ
Lemonade offers a free tier with core features including password storage, browser extension, and security audit. Premium unlocks unlimited passwords, env vault, secure sharing, and more.
Encrypted data is stored on Firebase. Only ciphertext reaches our servers. Decryption happens exclusively on your device using your master password.
Your account uses Google or email authentication. If you set an Env Vault master password, that cannot be recovered since it is zero-knowledge β only you know it.
Lemonade is a PWA (Progressive Web App). You can install it on any device directly from the browser, no app store needed. It requires an internet connection to access your vault securely.
You search for a user, select the credential to share, and it is sent securely through authenticated server endpoints. The recipient can accept or reject the shared credential in their vault.