The latest articles on DEV Community by devbythom (@devbytho). https://dev.to/devbytho https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3637651%2Fb86b799a-8cc0-446d-8fa0-120860bb5761.png https://dev.to/devbytho en devbythom Sun, 30 Nov 2025 16:41:35 +0000 https://dev.to/devbytho/eazypasswords-a-zero-knowledge-password-manager-189o https://dev.to/devbytho/eazypasswords-a-zero-knowledge-password-manager-189o <p>hello everyone</p> <p>I’ve been tired of paying $60/year just to securely share Netflix and WiFi passwords with my family. I wanted to build a lightweight, secure alternative that runs entirely on the Edge and is only 5$ per year!</p> <p>Here is how I built EazyPasswords, a Zero-Knowledge vault that costs me almost nothing to run, thanks to the modern serverless stack.</p> <p><strong>The Stack</strong></p> <p>I wanted instant load times and zero cold starts, so I avoided traditional containers.<br> Backend: Hono running on Cloudflare Workers.</p> <p>Database: Cloudflare D1 (SQLite at the Edge).</p> <p>Frontend: Vanilla JS (hosted on Cloudflare Pages).</p> <p>Crypto: Native Web Crypto API (window.crypto.subtle).</p> <p>The Architecture: True Zero-Knowledge</p> <p>The biggest challenge was ensuring I (the server admin) could never see the user's data.<br> Here is the flow I implemented:<br> Registration: The client generates a random Salt. The Master Password is hashed with PBKDF2 (100k iterations). We derive an AuthKey (sent to server) and a MasterKey (kept in memory).<br> Encryption: Before any data leaves the browser, it is encrypted using AES-GCM (256-bit) with the MasterKey.<br> Storage: The server receives a JSON payload of iv and ciphertext. D1 stores this blob. It has no idea what it contains.<br> The "Visual Dead Drop" (QR Sharing)<br> This is the feature I'm most proud of. I wanted to share passwords without sending the decryption key over the network (which is a common attack vector).<br> I built a Visual Dead Drop system:<br> Sender: Client generates a random, ephemeral AES key.<br> Encrypt: The password blob is encrypted with this ephemeral key and uploaded to D1.<br> The Trick: The ephemeral key is NOT sent to the server. Instead, it is encoded into a QR Code string displayed on the sender's screen.<br> Receiver: Scans the QR code. Their device extracts the key from the image, fetches the blob from D1, and decrypts it locally.<br> The server holds the lock, but the key exists only in the physical world (on the screen)<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fef5w6p5go755ir3ann49.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fef5w6p5go755ir3ann49.png" alt="Qr code image" width="800" height="403"></a>.</p> <p>Why Cloudflare D1?<br> For a side project, cost is everything. D1 allows for millions of reads/writes for free. This architecture allows me to offer a Free Family Plan to users because my overhead is practically zero.</p> <p>I need your feedback (Beta)<br> I am currently in Open Beta. Since I'm a backend engineer, my UI skills aren't perfect, but the crypto engine is solid.<br> I’m looking for developers to stress-test the encryption speed and the QR code scanning across different devices.</p> <p>And if you have any questions about something you dont get feel free to ask<br> You can try it here: <a href="https://eazypasswords.com" rel="noopener noreferrer">Eazypasswords</a></p> <p>(If you sign up during the beta, you get the Family Plan for free forever as a thank you for testing).</p> webdev security backend passwordmanager