DEV Community

Cover image for Your Password Vault Is Sitting on Someone Else's Server Right Now. Here's the Free Manager I Built That Keeps It on Your Device.
ButcherBoyBD
ButcherBoyBD

Posted on

Your Password Vault Is Sitting on Someone Else's Server Right Now. Here's the Free Manager I Built That Keeps It on Your Device.

#privacy #webdev #tools #opensource

I want to talk about something the password manager industry has quietly normalized — and most users never think twice about.

When you set up a cloud password manager, your encrypted vault ends up on their server. Not on your device. On theirs. In a data center you have no visibility into, managed by a security team you'll never meet, protected by infrastructure that is, by definition, a centralized target.

And here is the part that should give everyone pause: a successful attack on that server doesn't just expose one person's vault. It exposes every customer's vault simultaneously.

Omega Password Master — One Vault. All Your Passwords. AES-256-GCM Encrypted. Free Forever.

The Problem Nobody Quantifies

The LastPass breach of 2022 is the case study everyone cites and almost nobody finishes. Yes, the vaults were encrypted. Yes, the master passwords weren't stored. But the encrypted vaults were exfiltrated — and that means attackers have unlimited time to try to crack them offline, with no rate limiting, no lockouts, no time pressure.

A strong master password makes cracking slow. It does not make it impossible. "Slow" is a relative term when the payoff is access to someone's entire digital life — every account, every service, every saved credential in one place.

This is not a criticism of LastPass specifically. This is the architecture. Any system where your vault lives on an external server is a system where a breach of that server can hand your encrypted data to someone with unlimited time and motivation to decrypt it.

There is a second part that gets even less discussion: cloud password managers are businesses. Businesses need revenue. Free tiers get restricted. Prices increase at renewal. Features disappear behind paywalls. Your access to your own passwords — to your own digital identity — becomes contingent on a company's continued existence and its decisions about monetization.

What a Local Vault Actually Changes

If your vault never leaves your device, it cannot be exfiltrated in a server breach. Not because the encryption is better. Because there is no server to breach.

The entire category of risk that has exposed millions of cloud password manager users simply does not exist in an offline-first architecture. You eliminate it by design, not by defense.

I built Omega Password Master — a free, open source, portable password manager for Windows that stores your encrypted vault entirely on your local device. No account. No server. No cloud connection required after download. No subscription. No premium tier. Free under the MIT license, indefinitely.

Omega Password Master — extract, run, create vault. Done in under 60 seconds.

The Encryption Stack — In Plain Terms

Vault Encryption: AES-256-GCM. The same standard used by financial institutions and governments. Provides both encryption and authenticated integrity verification — meaning any tampering with the vault file is detectable before decryption even runs.

Key Derivation: PBKDF2 at 310,000 iterations with SHA-256. Your master password is never stored anywhere. It is used to derive the encryption key through 310,000 rounds of hashing — then discarded. The iteration count is deliberately high: it makes brute-force and dictionary attacks computationally expensive on any realistic hardware.

Authentication: bcrypt for login. The vault key is derived separately and held in memory only while the vault is open. Step away, it locks. Power off, it is gone from memory entirely.

Recovery: 3 security questions at first setup generate a recovery file stored in the .omegadata folder. No email resets. No support tickets. If you forget your master password, answering all 3 correctly restores access. Your recovery stays in your hands — not in an inbox or a company's queue.

What's Inside

  • 🔐 AES-256-GCM vault — separate username, email, password, and URL fields per entry
  • 📝 Secure Notes — encrypted storage for recovery codes, PINs, private keys, anything that does not fit a password field
  • 📲 Built-in TOTP Generator — 2FA codes generated locally; no separate authenticator app needed, no 2FA secrets leaving your device
  • 🔑 Password Generator — cryptographically strong, fully local, configurable character sets and length
  • 🌐 Browser Import — import directly from Chrome, Edge, and Firefox via OS-level decryption; no upload at any point
  • ☁️ Encrypted Auto-Backup — point at your Google Drive or OneDrive sync folder; backups are encrypted .opm files only your master password can open
  • 📋 Clipboard Auto-Clear — copied passwords cleared from clipboard after a configurable timeout
  • 🔒 Auto-Lock on Inactivity — vault closes itself after idle time you define
  • 📄 PDF Export — printable emergency backup, optionally with or without password values shown
  • 📖 User Guide — built-in guide.html ships with the app, one click from the sidebar

Three Steps. No Installer. No Admin Rights.

Step 1: Download the ZIP (~129 MB) — the complete portable application, nothing else required

Step 2: Extract to any folder — Desktop, USB drive, external hard drive, anywhere you want

Step 3: Run, set your master password, answer 3 recovery questions — vault ready in under 60 seconds

No changes to your Windows registry. No system folders touched. The vault lives in a hidden .omegadata folder next to the application. To move to another PC: copy the entire folder, paste it, run. That is the complete migration process.

Portable by design. Extract to a USB drive and your encrypted vault travels with you. Plug into any Windows PC, run the executable, open with your master password. No installation on the host machine.

Works on Windows 7, 8, 10, and 11.

What's New in v1.0.1 — June 2026

  • ✅ Built-in User Guide (guide.html) + User Guide button in sidebar
  • ✅ Username and Email are now separate input fields — better organisation and smarter import deduplication
  • ✅ Fixed UI panel scrolling (flexbox min-height: 0 fix)
  • ✅ Breach Alerts now clearly states it checks emails via XposedOrNot
  • ✅ Custom emoji icon input field widened for more comfortable typing

Who This Is For

If you already use a solid password manager and understand threat models, you know immediately whether local storage fits yours. It is a trade-off — if your device is physically compromised and unlocked, the vault is exposed. No local manager solves every problem.

But if you are someone who has never felt right about your entire digital identity sitting on a company's server — or you know people who reuse weak passwords because every manager they have tried demanded an account and a subscription — this is built for that.

The hardware they already own is powerful enough. The only thing missing was a tool built around the user's control, not around a monetization roadmap.

That is what Omega Password Master is.

📥 Download v1.0.1 — Free, Portable, No Account Required:
👉 aitoolboxbd.com/free-pc-softwares/omega-password-master/

I build tools at AIToolboxBD.com that run on your own device — because you already paid for the hardware. No uploads. No accounts. No data games.

Top comments (0)