Breaking Free from the Cloud: Why We Built a Local-Only Password Vault

In an era where "secure" usually means "encrypted on someone else's server," I found myself craving something simpler. Something that felt like the digital equivalent of a physical notebook in a fireproof safe, rather than a safety deposit box I had to ask permission to access.

This desire led to the creation of Password Vault: a static, local-only tool for generating passwords and TOTP (Time-based One-Time Password) codes that puts data sovereignty back in the hands of the user.

The Spark: Remembering SuperGenPass

The inspiration for this project traces back to a clever old tool called SuperGenPass.

For those who missed it, SuperGenPass was a bookmarklet that didn't store your passwords at all. Instead, it used a master password and the domain name of the site you were visiting to calculate a unique hash on the fly. It was stateless, brilliant, and most importantly, it didn't rely on a central database that could be hacked.

I wanted to bring that same energy to a modern vault that handles both passwords and 2FA.

I grew tired of the modern authenticator landscape. Apps like Authy or Google Authenticator are convenient, but they often lock your "seeds" inside their ecosystem. If you want to move your codes to a new device without their cloud sync, you often hit a wall.

I wanted a vault that was:

1. Easy to move around: I should be able to transfer my setup between devices as easily as copying a text file.
2. Serverless: It should not require an internet connection or a backend API to function.
3. Account-Free: I didn't want to "sign up" for my own security tool.

_ad:

Current Special : 1xvCPU, 1GB RAM, 25GB SSD,2TB Bandwidth - $10.60/Year

What is the Password Vault?

The Password Vault is a static web application. In technical terms, it is a collection of HTML, CSS, and JavaScript files that run entirely in your browser.

Because it is a static site, it does not have a database. It does not "ping" a server to check your identity. Once the page is loaded, you could theoretically pull your ethernet cable, and it would continue to generate valid passwords and 2FA codes forever.

Key Features

• Dual Generation: It generates both strong, deterministic passwords (à la SuperGenPass) and standard TOTP codes.
• Zero-Knowledge / Local Storage: All your secret keys are stored in your browser's local storage (or an encrypted local JSON file). Nothing is ever transmitted over the network.
• True Portability: Because the app is just a webpage, you can host it yourself (using Caddy, Nginx, or just opening the index.html file).
• Standard Compliance: It uses the standard RFC 6238 algorithm for TOTP, meaning it works with every major service (Google, Amazon, GitHub, etc.).

The "No Accounts" Philosophy

One of the most distinct features of this vault is what it doesn't store: Your identity.

Unlike LastPass or 1Password, the Password Vault has no concept of "Usernames" or "Email Addresses." It assumes you know who you are. If you are logging into Netflix, you know your email address is me@example.com. You don't need a vault to tell you that.

The vault focuses strictly on the secret part of the equation. It holds the keys and the generation logic, stripping away the bloat of managing a digital address book.

"Public" Accessibility: Use It Anywhere

This stateless, account-free design opens up a powerful use case: Universal Accessibility.

Because you don't need to "login" to the vault to make it work—you just need the code and your master secret—you can use it on any trusted device in a pinch.

Imagine this scenario:
You are visiting your parents' house and want to log into Netflix on their TV. Your phone is dead or charging in the other room. Your parents have their phones right there.

1. You open the Password Vault URL on their phone.
2. You don't "sign in" or sync a database (which would leave your data on their device).
3. You simply input your master parameters or seed for that specific service.
4. The site generates the password or 2FA code you need right then and there.
5. You use it, close the tab, and walk away.

Since the site is static and the calculation happens in the browser memory for that session, you haven't compromised your vault or left a trail of sensitive data on their device. It’s like borrowing a calculator to do a math problem; once you clear the screen, the numbers are gone.

Why This Matters

We live in a time of massive data breaches. If a cloud-based password manager gets compromised, millions of users are at risk.

By using a local-only static site, you remove the largest attack vector: the central server. There is no "Password Vault" corporate database for hackers to target. It is a return to the philosophy of the early web: small, useful tools that you own, running on hardware you control. It’s not just an app; it’s a declaration of independence for your digital identity.