DEV Community

Jonathan Park
Jonathan Park

Posted on

Why I Built a Password Manager That Never Touches the Internet

#webdev #javascript #security #privacy

Every password manager I've used wants me to create an account. Sync to their cloud. Trust their servers. Pay a subscription.

And then one day, LastPass gets breached. Again.

I don't have anything against cloud-based password managers — they solve a real problem. But I kept thinking: what if you just... didn't need any of that?

The Premise

Most people don't need cross-device sync for every password. They need a secure place to store credentials that:

  • Doesn't require an account
  • Doesn't phone home
  • Works offline
  • Can't be breached on a server because there is no server

So I built Password Notebook.

Zero-Server Architecture

Here's what "never touches the internet" means concretely:

  • No backend. It's a static site. HTML, CSS, JavaScript. That's the entire stack.
  • No API calls. Open your network tab. Nothing goes out.
  • No analytics. No tracking pixels, no Google Analytics, no telemetry.
  • No account. You open it and start using it.

Your passwords are encrypted and stored in your browser's localStorage. They exist on your device and nowhere else.

How Encryption Works

When you set a master password, the app:

  1. Derives a cryptographic key from your password using PBKDF2 with a high iteration count
  2. Encrypts your password vault using AES-GCM via the Web Crypto API
  3. Stores the encrypted blob in localStorage 
// Simplified — the actual implementation has more safeguards
const keyMaterial = await crypto.subtle.importKey(
  "raw",
  encoder.encode(masterPassword),
  "PBKDF2",
  false,
  ["deriveKey"]
);

const key = await crypto.subtle.deriveKey(
  { name: "PBKDF2", salt, iterations: 600000, hash: "SHA-256" },
  keyMaterial,
  { name: "AES-GCM", length: 256 },
  false,
  ["encrypt", "decrypt"]
);
Enter fullscreen mode Exit fullscreen mode

All crypto is done via the browser's native Web Crypto API — no third-party crypto libraries.

The Trade-offs (Honestly)

This approach has real limitations, and I think it's important to be upfront about them:

What you give up:

  • No sync. Your passwords live on one device, in one browser. Clear your browser data and they're gone.
  • No recovery. Forget your master password? There's no "forgot password" flow. No server means no recovery email.
  • No autofill. This isn't a browser extension. You copy-paste.
  • localStorage isn't perfect. It can be cleared by the browser, and it's accessible to JavaScript on the same origin. The encryption mitigates the latter, but it's worth knowing.

What you get:

  • Zero attack surface on the network. No server to breach. No API to exploit. No database dump to worry about.
  • No trust required. You can read the source. It's all client-side.
  • Instant setup. Open the page, set a master password, start saving.
  • Works offline. Once loaded, it doesn't need a connection.

Who Is This For?

Not everyone. If you need sync across 5 devices, use Bitwarden (it's great and open source).

Password Notebook is for people who:

  • Want a simple, local credential store on a single machine
  • Don't trust cloud services with their passwords
  • Need something for a shared computer where installing software isn't an option
  • Want a secondary/backup password reference

Try It

Free, no sign-up, no download: passwords.impulsestudios.cc

Your data stays on your device. I literally can't see it even if I wanted to.

If you're curious about the implementation or want to audit the crypto, the source is all in the browser. View source and read it.

Top comments (1)

Collapse
 
mrdisloyal profile image
Mr Disloyal

same like me. I also create password manager with this method you can check on zlvox.com