Most people use password managers every day.
Very few understand how they actually keep passwords secure.
In this article, I break down how real, production-grade password managers work — the same core ideas used by tools like 1Password or Bitwarden — by walking through a project I built called Passwuts.
🎥 Full video walkthrough:
👉 https://youtu.be/G1m7K7ZG1M0
Why I Built Passwuts
Password reuse is one of the biggest security risks today.
When a single website is breached, reused passwords expose users across every service they use.
Passwuts solves this by:
- Enforcing strong, unique passwords
- Using client-side encryption
- Ensuring the server never sees plaintext credentials
This is the same security philosophy used by serious password managers.
High-Level Architecture (Zero-Knowledge Model)
Passwuts follows a zero-knowledge, client-first encryption model:
- 🔐 Master password never leaves the client
- 🔑 Encryption keys are derived locally using PBKDF2
- 🔒 Passwords are encrypted using AES-GCM
- 🗄️ Server stores only ciphertext + IV
Even if the backend is compromised, passwords remain safe.
How Encryption Works (Step-by-Step)
- User creates a master password
- A strong encryption key is derived using PBKDF2
- Inputs: master password + user UID (as salt)
- Passwords are encrypted using AES-GCM
- Each encryption uses a random IV
- Only encrypted data is stored in Firestore
At no point does plaintext leave the browser.
Vault Verification (Without Storing Passwords)
A common problem:
How do you verify the master password without storing it?
Passwuts uses a verifier pattern:
- A known string (
"vault-check") is encrypted - Stored in Firestore as vault metadata
- On unlock:
- Client decrypts it locally
- If it decrypts correctly → password is valid
✅ Secure
✅ Zero-knowledge
✅ No password storage
Browser Extension Architecture
The browser extension reuses the exact same crypto layer as the web app:
- Firebase authentication
- Shared internal crypto package (
@pm/crypto) - Client-side encryption only
- No secret logic in the backend
This keeps behavior consistent across platforms.
What This Project Taught Me
Building a password manager taught me some hard lessons:
- 🔍 Crypto failures usually come from misuse, not math
- 🔄 IV / nonce management is critical
- 🧠 Security UX matters as much as cryptography
- 🔐 Zero-knowledge systems require discipline everywhere
Final Thoughts
Password managers are not magic.
They are carefully engineered systems built on:
- Key derivation
- Authenticated encryption
- Secure client-side architecture
Understanding how they work makes you:
- A better engineer
- A safer user
If you enjoyed this breakdown, watch the full video walkthrough 👇
🎥 https://youtu.be/G1m7K7ZG1M0
Top comments (2)
yea lets put all our work and personal passwords by trusting a vibe coded project
Bro I won't deny that I didn't use AI at all for this project. But this project is not entirely made by AI, mostly the frontend is made by AI. If you have any doubts the code is open source and here is the github link for the same :-
Github = github.com/SplinterSword/passwuts
It has all of my commit history and code. If you find anything wrong or If you find that this app is not secure at all. Feel free to give me feedback.
I am proud of this project and I am using it no problem.