DEV Community: ButcherBoyBD

Your Password Vault Is Sitting on Someone Else's Server Right Now. Here's the Free Manager I Built That Keeps It on Your Device.

ButcherBoyBD — Wed, 03 Jun 2026 21:43:28 +0000

I want to talk about something the password manager industry has quietly normalized — and most users never think twice about.

When you set up a cloud password manager, your encrypted vault ends up on their server. Not on your device. On theirs. In a data center you have no visibility into, managed by a security team you'll never meet, protected by infrastructure that is, by definition, a centralized target.

And here is the part that should give everyone pause: a successful attack on that server doesn't just expose one person's vault. It exposes every customer's vault simultaneously.

The Problem Nobody Quantifies

The LastPass breach of 2022 is the case study everyone cites and almost nobody finishes. Yes, the vaults were encrypted. Yes, the master passwords weren't stored. But the encrypted vaults were exfiltrated — and that means attackers have unlimited time to try to crack them offline, with no rate limiting, no lockouts, no time pressure.

A strong master password makes cracking slow. It does not make it impossible. "Slow" is a relative term when the payoff is access to someone's entire digital life — every account, every service, every saved credential in one place.

This is not a criticism of LastPass specifically. This is the architecture. Any system where your vault lives on an external server is a system where a breach of that server can hand your encrypted data to someone with unlimited time and motivation to decrypt it.

There is a second part that gets even less discussion: cloud password managers are businesses. Businesses need revenue. Free tiers get restricted. Prices increase at renewal. Features disappear behind paywalls. Your access to your own passwords — to your own digital identity — becomes contingent on a company's continued existence and its decisions about monetization.

What a Local Vault Actually Changes

If your vault never leaves your device, it cannot be exfiltrated in a server breach. Not because the encryption is better. Because there is no server to breach.

The entire category of risk that has exposed millions of cloud password manager users simply does not exist in an offline-first architecture. You eliminate it by design, not by defense.

I built Omega Password Master — a free, open source, portable password manager for Windows that stores your encrypted vault entirely on your local device. No account. No server. No cloud connection required after download. No subscription. No premium tier. Free under the MIT license, indefinitely.

The Encryption Stack — In Plain Terms

Vault Encryption: AES-256-GCM. The same standard used by financial institutions and governments. Provides both encryption and authenticated integrity verification — meaning any tampering with the vault file is detectable before decryption even runs.

Key Derivation: PBKDF2 at 310,000 iterations with SHA-256. Your master password is never stored anywhere. It is used to derive the encryption key through 310,000 rounds of hashing — then discarded. The iteration count is deliberately high: it makes brute-force and dictionary attacks computationally expensive on any realistic hardware.

Authentication: bcrypt for login. The vault key is derived separately and held in memory only while the vault is open. Step away, it locks. Power off, it is gone from memory entirely.

Recovery: 3 security questions at first setup generate a recovery file stored in the .omegadata folder. No email resets. No support tickets. If you forget your master password, answering all 3 correctly restores access. Your recovery stays in your hands — not in an inbox or a company's queue.

What's Inside

🔐 AES-256-GCM vault — separate username, email, password, and URL fields per entry
📝 Secure Notes — encrypted storage for recovery codes, PINs, private keys, anything that does not fit a password field
📲 Built-in TOTP Generator — 2FA codes generated locally; no separate authenticator app needed, no 2FA secrets leaving your device
🔑 Password Generator — cryptographically strong, fully local, configurable character sets and length
🌐 Browser Import — import directly from Chrome, Edge, and Firefox via OS-level decryption; no upload at any point
☁️ Encrypted Auto-Backup — point at your Google Drive or OneDrive sync folder; backups are encrypted .opm files only your master password can open
📋 Clipboard Auto-Clear — copied passwords cleared from clipboard after a configurable timeout
🔒 Auto-Lock on Inactivity — vault closes itself after idle time you define
📄 PDF Export — printable emergency backup, optionally with or without password values shown
📖 User Guide — built-in guide.html ships with the app, one click from the sidebar

Three Steps. No Installer. No Admin Rights.

Step 1: Download the ZIP (~129 MB) — the complete portable application, nothing else required

Step 2: Extract to any folder — Desktop, USB drive, external hard drive, anywhere you want

Step 3: Run, set your master password, answer 3 recovery questions — vault ready in under 60 seconds

No changes to your Windows registry. No system folders touched. The vault lives in a hidden .omegadata folder next to the application. To move to another PC: copy the entire folder, paste it, run. That is the complete migration process.

Portable by design. Extract to a USB drive and your encrypted vault travels with you. Plug into any Windows PC, run the executable, open with your master password. No installation on the host machine.

Works on Windows 7, 8, 10, and 11.

What's New in v1.0.1 — June 2026

✅ Built-in User Guide (guide.html) + User Guide button in sidebar
✅ Username and Email are now separate input fields — better organisation and smarter import deduplication
✅ Fixed UI panel scrolling (flexbox min-height: 0 fix)
✅ Breach Alerts now clearly states it checks emails via XposedOrNot
✅ Custom emoji icon input field widened for more comfortable typing

Who This Is For

If you already use a solid password manager and understand threat models, you know immediately whether local storage fits yours. It is a trade-off — if your device is physically compromised and unlocked, the vault is exposed. No local manager solves every problem.

But if you are someone who has never felt right about your entire digital identity sitting on a company's server — or you know people who reuse weak passwords because every manager they have tried demanded an account and a subscription — this is built for that.

The hardware they already own is powerful enough. The only thing missing was a tool built around the user's control, not around a monetization roadmap.

That is what Omega Password Master is.

📥 Download v1.0.1 — Free, Portable, No Account Required:
👉 aitoolboxbd.com/free-pc-softwares/omega-password-master/

I build tools at AIToolboxBD.com that run on your own device — because you already paid for the hardware. No uploads. No accounts. No data games.

Your QR Code Is Spying On Everyone Who Scans It — And You Set The Trap

ButcherBoyBD — Sun, 03 May 2026 16:15:55 +0000

I need to tell you about something that's been bothering me since I built AIToolboxBD — not as a privacy researcher or security expert, but as someone who creates free browser tools and realized how much surveillance gets baked into things we assume are harmless.

You know those QR codes on restaurant menus, event flyers, business cards? There's a very good chance you've been unknowingly tracking everyone who scans them — logging their GPS coordinates, device fingerprint, operating system, browser type, and exact timestamp of every scan. And it's completely legal because you agreed to the terms when you created the code. The people scanning it never did.

Let me show you exactly how this works.

The Free QR Code Generator You Used Isn't Actually Free

When you search "free QR code generator," you get tools that promise instant results with no signup required. You paste your URL, click "Generate," and boom — you've got a QR code. Simple. Fast. Free.

Except nothing about that transaction was free.

Here's what actually happened:

You pasted your destination URL (let's say https://yoursite.com/menu)
The generator uploaded it to their server and created a redirect URL (like https://qr-platform.io/abc123)
The QR code encodes THAT redirect, not your actual URL
You download the code and print it on your flyers, menus, business cards
Every person who scans it hits their tracking server first before being redirected to your site That tracking server logs everything:
GPS coordinates (latitude/longitude accurate to meters)
Device type (iPhone 15 Pro, Samsung Galaxy S24, etc.)
Operating system (iOS 17.4, Android 14)
Browser (Chrome, Safari, Firefox)
Timestamp (exact date/time of scan)
IP address (for additional geolocation) ### Who owns this data?

Not you. The platform does.

You created the code. You distributed it. You put it in front of people who trust you enough to scan it. But the data belongs to the platform that provided the "free" tool. You're not the customer — you're the supply chain.

This Is Called a "Dynamic QR Code" — And It's the Default

The QR code industry quietly split into two technical architectures years ago:

1. Static QR Codes (The Original Standard)

Encode the final destination URL directly in the QR pattern
No server involved
No redirect
No tracking
Work forever (as long as QR readers exist) ### 2. Dynamic QR Codes (The Surveillance Model)
Encode a redirect URL that points to the platform's tracking server
Server logs analytics on every scan
Platform can change the destination without reprinting the code
Stop working if the company shuts down, rebrands, or discontinues free tier Guess which one every major "free" QR generator gives you by default?

Dynamic. Always dynamic. Because static codes don't generate the data they need to monetize.

Data flow of a dynamic QR scan · GPS · Device fingerprint · OS · Browser · Timestamp — all before the redirect completes

The Legal Loophole: You Consented. They Didn't.

Here's the part that makes this technically legal but ethically rotten:

When you created the QR code, you clicked "Generate" on a website with terms of service buried at the bottom. Those terms grant the platform analytics rights, data collection permissions, and the ability to log scanner behavior. Legally, you agreed.

When someone scans your code, they see a QR pattern. They don't see terms of service. They don't know a tracking server is involved. They didn't agree to anything. They trusted you — not the platform you used.

The platform argues: "The person who created the tracker consented on behalf of their users."

But that's not how consent works. You can't consent to surveillance on behalf of someone who doesn't know they're being surveilled.

Yet legally, the scanner can't sue the platform because they never interacted with the platform. They interacted with you. You're the one who put the tracker in front of them.

You became the intermediary in a surveillance transaction you didn't fully understand.

Static QR codes · Permanent by design · No server dependency · No scan tracking · No expiration risk

Real-World Example: The Restaurant Menu That Sold Customer Locations

Imagine you own a small restaurant. You use a free QR code generator to create a code that links to your PDF menu. You print it on table tents. Customers scan it to see the menu.

What you think is happening:

Customer scans code → views menu → orders food What's actually happening:
Customer scans code
Their phone contacts qr-platform.io/xyz789
Platform logs: GPS (exact table location if scanned in-restaurant), device type, timestamp
Platform redirects to your menu PDF
Customer views menu, unaware their location was just logged Now multiply that by hundreds of scans per week. The platform now has:
A heatmap of where your customers are physically located when they scan
Device demographics (what phones your customers use)
Behavioral timing data (lunch rush vs. dinner patterns) None of your customers consented to this. They thought they were scanning a menu. They were actually checking in to a third-party analytics database.

And here's the kicker: You can't delete that data. It's on the platform's server. You created the code, but you don't control the logs.

The Business Model: You're Not Selling Data. You're Generating It For Someone Else.

QR code platforms don't sell your data. They sell aggregated analytics derived from millions of people like you who unwittingly turned their audience into a data-generation workforce.

The platform doesn't care about your restaurant menu. They care about the geolocation patterns of people who scan QR codes in restaurants. Multiply that across thousands of restaurants, and they've got a location intelligence dataset they can sell to:

Ad networks (retargeting people who've been to specific locations)
Market research firms (foot traffic analysis)
Data brokers (enriching consumer profiles with offline behavior) You didn't get paid. You got a free QR code. Your customers got surveilled.

Watch: How QR Code Tracking Actually Works

How to Check If Your QR Code Is Tracking People

If you've created QR codes in the past and want to know if they're tracking scanners:

Scan your own QR code with a smartphone
Before it redirects, look at the URL in your browser
If the URL is NOT your final destination, it's a dynamic code with a tracking server Example:
❌ Dynamic (tracking): https://qr.io/abc123 → redirects to your site
✅ Static (no tracking): https://yoursite.com/page (direct) If your code has a redirect, everyone who scans it is being logged.

The Solution: Static QR Codes That Don't Phone Home

The fix is simple: use a QR code generator that creates static codes processed entirely in your browser.

Here's how static codes work:

You open the generator (runs 100% in your browser, no server upload)
You paste your destination URL
JavaScript encodes it directly into the QR pattern using the ISO/IEC 18004 standard
The code is generated locally on your device and downloaded as a PNG
Nothing leaves your machine When someone scans it:
Their phone reads the pattern
Extracts the URL
Navigates directly to your site
No redirect. No server. No log entry. ### What You Give Up You lose the analytics dashboard. You can't see how many times the code was scanned, from where, or on which device. That data doesn't exist anywhere.

If you need scan analytics, you can add UTM parameters to your destination URL and track it using your own website analytics — analytics you control, tracking your content rather than your users.

What Everyone Gains

Scanner privacy: No GPS logging, no device fingerprinting, no profiling
Permanent codes: Works forever (no expiration, no company shutdown risk)

- No surveillance database: Your audience isn't unknowingly enrolled in a tracking system

I Built a Privacy-First QR Generator Because I Couldn't Find One That Didn't Track

After realizing how pervasive dynamic tracking had become, I built AIToolboxBD's Free QR Code Generator specifically to solve this:

✅ 100% local processing (zero server upload)
✅ Static codes only (no tracking, no redirect)
✅ No account required
✅ Never expires (the data is in the pattern, not on a server) Even if AIToolboxBD shuts down tomorrow, the codes you generated will keep working forever. That's the point.

You're Not the Villain. The System Is.

You didn't do anything wrong. You used a free tool because it was convenient. You didn't read 47 pages of terms and conditions because nobody does.

But the result is the same: everyone who trusted you enough to scan your code had their location logged, their device fingerprinted, and their behavior profiled — without their knowledge and without their consent.

The fix isn't to stop using QR codes. The fix is to use QR codes that don't have surveillance baked into their architecture by design.

Static codes exist. Tools to generate them exist. There's no technical barrier. There's no cost barrier. There's only the awareness barrier — and you just crossed it.

One Last Thing

If you've printed QR codes in the past and just realized they've been tracking people:

What did you do with those codes?

Did you leave them up? Did you take them down? Did you replace them with static codes?

I'm genuinely curious how people react when they realize the "free" tool they used wasn't free for the people who trusted them enough to scan.

Drop a comment — I'd love to hear your thoughts.

If you found this useful, consider checking out AIToolboxBD — I'm building privacy-first browser tools that work entirely on your device. No uploads, no tracking, no surveillance.

The "Free" Tool You Just Used Probably Sold Your Personal Data. Here's Why That's Allowed & What Changes It.

ButcherBoyBD — Fri, 24 Apr 2026 05:55:01 +0000

I want to start my first post here with something that's been bothering me for a long time — not as a security researcher, just as someone who builds free tools and thinks a lot about who the real customer is when a product is "free."

Because "free" is doing a lot of work in that sentence. And most people never stop to ask what's actually being traded.

The Problem Nobody Explains Clearly

When you upload a photo to a "free" online converter, here's what actually happens:

Your file lands on a server you've never heard of. The tool reads your photo. If your photo was taken on a phone, it comes with EXIF metadata baked into it — GPS coordinates showing exactly where you were, timestamp, device model, camera settings. That data doesn't disappear when the conversion finishes. It gets logged. It gets associated with your IP address, your browser fingerprint, and often your email if there was a signup wall that you clicked through just to get the file.

That package of data — who you are, where you've been, what device you use, what time you do things — is worth real money to advertising networks, data brokers, and profiling companies. Not because any single upload is valuable on its own. Because they have ten million of them, cross-referenced, stitched together into a profile that knows you better than most people in your life do.

And here's the uncomfortable truth: this isn't a security flaw or a bug someone forgot to patch. This is the business model. The conversion tool is not the product. The conversion tool is the data collection mechanism. The product is you.

The phrase "if the product is free, you are the product" actually understates the situation. You're not just a vague advertising demographic getting served slightly more relevant ads. You're uploading specific, traceable, personal files that carry a digital paper trail — and that trail goes somewhere you can't follow and can't erase.

The Part That Actually Shocked Me

Most free online tools don't need to upload your file to a server at all.

Modern browsers — Chrome, Firefox, Edge, even mobile Safari — can run heavy computational tasks locally using WebAssembly (WASM). This isn't a niche experiment or a beta feature. WebAssembly has been a W3C standard since 2019. It ships in every major browser. It runs at near-native speed. And it means that video conversion, audio processing, image format transformation, AI background removal — all of this can execute directly on your device. The file never has to leave your machine.

Your phone or laptop is already powerful enough. The hardware that processes a video file in a cloud datacenter is not fundamentally different from the chip in the device you're reading this on right now — and in many cases, your device is faster. The reason most "free" tools use cloud servers isn't technical necessity. It's not that local processing is too slow or too complex. It's because the upload is the point.

When you upload, they get the data. The conversion is just what keeps you from noticing.

There's also a second thing happening that's less discussed: even the act of uploading gives them something. Your IP address. Your browser fingerprint — a near-unique signature assembled from your OS version, screen resolution, installed fonts, timezone, language settings, and dozens of other variables that together identify you with startling precision, without a single cookie. Even if you never sign up, never log in, and delete the file immediately after — they already got what they needed the moment the upload started.

The Asymmetry Nobody Talks About

Inside these companies — in their product teams, their data partnerships, their business development meetings — the value of what you just uploaded is extremely well understood. They know exactly what file types yield what kinds of behavioral data. They know which brokers buy it. They know the downstream life of every upload.

Most users see a clean interface that says "Convert Free" and assume the transaction is simple: I give you a file, you give me a converted file, we're done.

It isn't simple. And the Terms of Service document that technically discloses the real arrangement is written to extract consent, not to communicate it. It's a legal instrument, not an explanation. If you actually read the ToS of most "free" converter sites, you'll find language like "you grant us a worldwide, royalty-free license to use, reproduce, and create derivative works from your uploaded content." That sentence means your file can legally be used to train AI models, sold to third parties, and retained indefinitely — and you agreed to it by clicking the button.

This information asymmetry — where one party knows exactly what the exchange is worth and the other doesn't — is one of the oldest structures in commerce. The digital version is just faster, more automated, and running at a scale of billions of interactions per day.

What I'm Trying to Build

I've been building AIToolboxBD with one principle at the center: local by default.

Every browser-based tool on the site processes files on your own hardware. Nothing is uploaded to a remote server. No account required for conversion tasks. No watermarks. No degraded output on the free tier — because there is no paid tier that unlocks the real quality. The file stays with you. The processing happens on your CPU and GPU. When you close the tab, there's nothing left on any server anywhere, because nothing was ever sent there.

The stack that makes this possible is WebAssembly, the HTML5 File API, and client-side JS libraries that have been stable and production-ready for years. This isn't cutting-edge or experimental. It's just rarely used this way because server-side uploads are more profitable.

Current tools:

Image & Design Tools — universal format converter (RAW, AVIF, HEIC, WebP — the heavy formats most converters struggle with), PNG-to-ICO favicon maker, AI background remover that runs the inference model entirely in your browser
Audio Tools — batch converter with trimming and volume normalization, handles MP3, WAV, FLAC, OGG
Video Tools — video-to-audio extractor, no upload, no waiting for a server queue
QR Generator — fully offline-capable, generates static codes that never expire and don't phone home
AI Image Generator — runs in-browser, no API key, no account, no per-image credit

PC software and Android apps are coming in the next few days — both built specifically to run well on budget hardware. Not just flagships. The kind of device most people in the world actually own.

Who This Is Really For

If you're a developer reading this, you probably already knew most of what I wrote above. You understand EXIF data. You know what a browser fingerprint is. You've read enough privacy policies to know what "used to improve our services" actually means.

But most people in your life don't. And they're uploading their medical documents, family photos, private audio recordings, and work files to random converter sites every single day — because the interface looks clean, the tool is fast, and nobody ever told them what the upload actually costs.

The device they already own could do all of this locally. It has the processing power. It has the storage. The only thing missing was tools built for them, not around them.

That's the gap I'm trying to close. One tool at a time.

Site: aitoolboxbd.com
This is the founding philosophy. Technical posts on the WASM stack, the in-browser ML pipeline, and the PC software are coming soon.