We live in a world where the average person manages dozens — sometimes hundreds — of passwords. Yet most solutions to this problem fall into two uncomfortable camps: cloud-based services that require you to trust a third party with your most sensitive data, or bloated desktop applications that demand complex installations and constant updates.
What if there was a third option? What if you could run a fully-featured, beautifully designed, encrypted password manager with nothing but Python — no pip, no npm, no frameworks, no internet connection required?
That's exactly what Vault is.
What Is Vault?
Vault is a web-based password wallet that lives entirely inside a single Python file. You run it, a local server starts on your machine, your browser opens, and you're greeted with a sleek dark-mode interface that looks like it belongs in a modern SaaS product — not a hobby script.
Every password you store is encrypted before it ever touches disk. Lock it when you're done. Close the tab. Walk away. Your data stays safe.
The project is open-source and available on GitHub:
👉 github.com/jafartavana01/password-wallet
The Philosophy: One File, No Compromise
Most developers, when building a web app, reach for Flask, React, SQLite, and a handful of crypto libraries before writing a single line of business logic. Vault was built under a different constraint: Python's standard library only.
This constraint was deliberate, and it shapes everything about the project:
No installation step. You don't need a virtual environment. You don't need pip. If you have Python 3.7 or higher, you already have everything Vault needs.
No supply chain risk. Every line of code that runs on your machine was written by the project author — not pulled from a registry of third-party packages. That matters a great deal for a security-sensitive tool.
Fully portable. Drop the file on a USB drive, carry it to any machine, run it. No setup, no configuration wizard.
bashpython password_wallet.py
That's the entire installation process.
The Security Model
A password manager that isn't secure isn't a password manager — it's a liability. Vault takes a layered approach to protecting your data, implemented entirely from Python's built-in hashlib and hmac modules.
Master Password Verification
When you set your master password for the first time, Vault never stores it. Instead, it derives and stores a PBKDF2-HMAC-SHA256 verifier — a one-way hash computed over 200,000 iterations with a fixed salt. The original password cannot be recovered from this verifier.
Per-Entry Encryption
Each entry you save is individually encrypted before being written to wallet.json. The process works like this:
A fresh 16-byte random salt and 16-byte IV are generated for the entry using Python's secrets module (cryptographically secure random generation).
Your master password is combined with the salt and stretched through PBKDF2 into a 32-byte key.
That key is split into an encryption key and a MAC key using SHA-256 domain separation.
The entry data is encrypted with an XOR stream cipher driven by a SHA-256 block chain.
A HMAC-SHA256 tag is computed over the salt, IV, and ciphertext and appended to the blob.
When you unlock the vault and load your entries, the HMAC is verified before any decryption takes place. If the tag doesn't match — wrong password, corrupted file, or tampered data — decryption is rejected entirely.
In-Memory Only
Decrypted entries never touch disk. They live only in your browser's JavaScript memory for the duration of your session. The moment you click Lock, the master password is cleared from memory, all entries are wiped, and the app returns to the lock screen. Nothing sensitive remains.
The Interface
The UI was designed to feel like a real product. Dark navy backgrounds (#0D1117), electric blue accents (#58A6FF), and a terminal-inspired monospace font for passwords — the aesthetic signals that this is a security tool, not a toy.
The Lock Screen
A full-screen lock screen greets you on every launch. The password input has a subtle circuit-trace animation on focus — the border glows and traces around the field like an unlocking circuit. It's a small detail, but it sets the tone.
The Vault
Once unlocked, the interface splits into a familiar two-panel layout: a sidebar listing all your entries, and a main panel showing the selected entry's details. Entries are color-coded by their auto-generated avatar (based on the entry title), and tagged by category — Web, Finance, Email, Social, Work, or Other.
Password Detail View
Each entry displays its password behind a mask by default. A toggle reveals it. A one-click copy button grabs the username, password, or URL to your clipboard with a toast notification confirming the action. A color-coded strength bar tells you at a glance how robust a given password is.
The Generator
Built into the Add/Edit modal is a fully configurable password generator. Choose your length (8 to 64 characters), toggle uppercase, lowercase, digits, and symbols, hit Generate, and a cryptographically random password appears. One more click applies it directly to the password field.
The Data File
All your entries are stored in a single file: wallet.json. It looks something like this:
json{
"verifier": "a3f8b2c1d4e5...",
"entries": [
{
"id": "3e9a1c4f",
"data": "dGhpcyBpcyBhIGJhc2U2NCBlbmNyeXB0ZWQgYmxvYg==",
"updated": "2025-06-12"
}
]
}
The data field is an opaque base64 blob. Without the master password, it reveals nothing about the entry's title, username, password, URL, or notes. The file is safe to back up, sync to a personal cloud, or transfer between machines.
Searching and Organizing
The search bar in the header filters entries in real time across titles, usernames, URLs, and categories. A stats bar beneath the header shows the total entry count, number of active categories, and — usefully — a count of weak passwords so you know when it's time to do some housekeeping.
Who Is This For?
Vault is built for a few specific types of people:
Developers and sysadmins who want a local, auditable password manager they can read top-to-bottom in a single sitting. There are no black boxes here.
Privacy-conscious users who are uncomfortable with cloud-based password managers and want their data to stay on their own hardware.
Anyone who needs a portable solution — running on a locked-down corporate machine, an air-gapped workstation, or a Raspberry Pi. If it runs Python, it runs Vault.
Getting Started
bash# Clone the repository
git clone https://github.com/jafartavana01/password-wallet.git
cd password-wallet
Run
python password_wallet.py
Your browser will open automatically. On first launch, you'll be asked to set a master password — choose something strong, and write it down somewhere safe. There is no password recovery mechanism by design.
The wallet.json file is created automatically in the same directory. Back it up regularly.
What's Next
This project demonstrates what's possible when you treat constraints as a creative challenge rather than a limitation. Future directions could include:
Import/export from common formats (CSV, 1Password, Bitwarden)
Browser extension for auto-fill
Optional AES-256-GCM encryption via the cryptography package for users who want audited crypto primitives
TOTP / two-factor authentication code support
Contributions and ideas are welcome via GitHub Issues and Pull Requests.
Final Thoughts
There's something satisfying about a tool that does exactly one thing, does it well, and asks nothing of you except Python. Vault isn't trying to be Bitwarden or 1Password. It's trying to be the thing you can hand to anyone, tell them to run python password_wallet.py, and have them storing passwords securely in under 60 seconds.
Sometimes that's exactly what you need.
GitHub: github.com/jafartavana01/password-wallet
Author: Jafar Tavana — powerinfossl@gmail.com
Top comments (2)
info
Some comments may only be visible to logged-in visitors. Sign in to view all comments.