What “no cloud” really means for password tools
Local processing reduces some exposure, but it does not make a website invisible to hosting providers, browsers, or malware.
What no cloud should mean
For a credential generator, “no cloud” should mean secret inputs and generated outputs are not intentionally uploaded to a service account or stored in an online credential database.
The page still comes from somewhere
A hosted website is delivered over a network. Hosting systems can see ordinary connection metadata, and the site owner can deploy changed code. Local computation does not remove the need for HTTPS, secure deployment, and transparent dependencies.
The browser is part of the trust boundary
Extensions, injected scripts, developer tools, clipboard managers, and malware may observe sensitive values. Use a maintained browser and avoid secret entry on untrusted devices.
Offline use
A properly cached or packaged tool may continue working offline, but users should verify the source and version. Saving an unknown webpage locally can preserve malicious code as easily as safe code.
Questions to ask any tool
- Are secret fields transmitted?
- Are dependencies loaded from third parties?
- Is the algorithm documented and versioned?
- Does the tool store values in local storage?
- What recovery options exist?