Site: https://maotaw.com/
Why I built Kardix as a stateless password generator instead of another encrypted vault, and what tradeoffs come with having nothing to store, sync, or steal.
Most password managers solve the "too many passwords" problem by creating a vault.
That vault may be encrypted. It may be protected by a strong master password. It may use good cryptography. But it is still one place where all your credentials exist together.
For many people, that tradeoff is worth it. A good password manager is much safer than reusing the same weak password everywhere.
But I wanted to ask a different question.
What if the best password database is the one that never exists in the first place?
That idea became Kardix.
Kardix is not a traditional password manager. It does not store your passwords. It does not sync them. It does not ask you to create an account. There is no cloud vault, no backup file, and no central password database.
Instead, Kardix derives passwords on demand.
You enter a private passphrase you remember, a simple label like github or netflix, and an optional PIN or extra secret. Kardix then uses Argon2id to create the same password every time from the same inputs.
Same inputs in. Same password out.
Nothing saved. Nothing synced. Nothing to breach.
Why I Did Not Want a Vault
Traditional password managers work by storing your credentials in an encrypted database.
That database is usually protected by a master password. This can be a strong and reasonable design. The problem is not that encryption is bad. The problem is that storage always creates responsibility.
Once a vault exists, you have to think about where it is stored, how it is synced, how it is backed up, what happens if you lose access, what happens if the provider is breached, and what happens if you forget the master password.
A vault can be secure, but it is still a target.
Kardix takes a different approach.
Do not protect the database. Remove the database.
Instead of saving the final password, Kardix recreates it only when needed.
How Stateless Password Generation Works
A normal password manager says: "Here is your saved password."
Kardix says: "Give me the same private inputs, and I will regenerate the same password."
For example, you might use a private passphrase, the label github, and an optional PIN.
Kardix combines those inputs and runs them through a key derivation process. The important part is that the output is deterministic.
That means the same passphrase, same label, and same PIN will always create the same generated password.
Change the label from github to netflix, and you get a different password.
Change the passphrase, and everything changes.
Change the PIN, and everything changes again.
This allows every account to have a unique password without storing a list of passwords anywhere.
Why Argon2id?
Kardix uses Argon2id because password derivation should be intentionally expensive for attackers.
Fast hashing is useful in many areas of software, but password-based systems need a different property. They need to slow down brute-force attempts.
Argon2id is memory-hard, which means it is designed to require both computation and memory. That makes large-scale guessing attacks more expensive compared with simple fast hashing.
In simple terms, your passphrase should not be turned into a password in the fastest and weakest way possible. It should go through a slow, deliberate derivation process.
This does not magically make a weak passphrase safe.
If someone uses password123 as their private phrase, no algorithm can fully save them.
But with a strong private passphrase, a unique label, and an optional PIN, the system becomes much harder to attack.
The Main Benefit: There Is Nothing to Steal
The biggest advantage of a stateless design is simple.
Kardix has no password vault.
That means there is no database of stored credentials for an attacker to download.
No account list.
No synced password file.
No cloud backup.
No server-side vault.
The generated password only exists when you create it. After that, Kardix does not need to remember it.
A breach cannot leak a password database that was never stored.
That does not mean the system is perfect. It means the attack surface is different.
Instead of protecting a stored vault, the user protects their private inputs.
The Biggest Tradeoff: No Recovery
This is the part I do not want to hide.
Stateless systems have a serious tradeoff.
If you forget your private inputs, there is no recovery.
There is no "reset my vault" button. There is no support team that can restore your passwords. There is no cloud backup waiting in the background.
That is not a bug. It is part of the design.
Kardix removes storage, but in exchange, you become responsible for remembering the exact inputs you used.
For some people, that is a good tradeoff.
For others, it is not.
A traditional password manager may be better if you need shared passwords, team access, emergency recovery, browser autofill, password history, secure notes, family management, or automatic breach monitoring.
Kardix is not trying to replace every password manager for every person.
It is trying to answer one specific question.
How can you create strong, unique passwords without storing them anywhere?
Where This Approach Makes Sense
A stateless password generator makes the most sense for people who care about local-first tools, privacy, and reducing dependency on cloud storage.
It can be useful for developers, privacy-focused users, offline-first workflows, and personal accounts where recovery is less important than reducing stored secrets.
It also changes the mental model.
Instead of thinking, "Where is my password stored?"
You think, "What inputs recreate this password?"
That is a very different approach to password management.
Where a Traditional Password Manager Is Still Better
I do not think everyone should abandon password managers.
For many users, a trusted password manager is still the better choice.
Password managers are convenient. They reduce password reuse. They help users generate random credentials. They often include autofill, passkey support, security alerts, and sharing features.
Those are real benefits.
Kardix is better for a different kind of user: someone who understands the tradeoff and wants fewer stored secrets.
The point is not that all password managers are bad.
The point is that storage is a design choice, not a requirement.
And once you realize that, you can build a different kind of tool.
The Idea Behind Kardix
Kardix is built around one sentence.
The best password database is the one that does not exist.
Not because encryption is useless.
Not because password managers are bad.
But because sometimes the strongest thing you can do is remove the thing attackers want.
No vault.
No sync.
No account.
No password database.
Just deterministic generation from private inputs.
That is the experiment behind Kardix: a stateless password manager alternative for people who want strong unique passwords without storing them anywhere.
It is not the right tool for everyone.
But for the right user, it makes password management feel much simpler.
Remember a strong private phrase.
Use clear account labels.
Generate when needed.
Store nothing.
Would you trust a stateless password generator, or do you prefer a traditional encrypted vault?
Top comments (0)