DEV Community

Venkata Sai Pavan Madabathula
Venkata Sai Pavan Madabathula

Posted on

I Built My Own Password Manager Because I Trust No One (Like Gojo)

#opensource #productivity #javascript #python

"Throughout Heaven and Earth, I alone am the honored one." — Gojo Satoru

That's basically how I felt about my passwords. No cloud. No third party. Just me, my server, and full control.

Gojo reveal

Last year, I watched the LastPass breach unfold in slow motion. Millions of encrypted vaults sitting on someone else's server, cracked open like they were nothing. And I thought — why are we okay with this?

I was using a popular password manager at the time. Paying for it monthly. Trusting a company I'd never met with literally every login I had. That felt wrong.

So I did what any slightly unhinged developer would do on a weekend.

I built my own.

Meet Tengen

Tengen is a self-hostable, open source password manager. Your passwords live on your machine, encrypted at rest, and never touch a third-party server. Ever.

Vault Table

👉 Check out the landing page

It runs on React + FastAPI + SQLite, spins up with a single docker-compose up, and the entire source code is open for anyone to audit. No subscriptions. No telemetry. No "trust us bro."

Why Not Just Use Bitwarden?

Honest answer — Bitwarden is great. If you want a polished, battle-tested solution, use Bitwarden.

But I wanted to build something. I wanted to understand every line of code protecting my passwords. And I wanted something that could run completely air-gapped if needed.

Tengen isn't trying to replace Bitwarden. It's for the people who want to own their security stack, not just use it.

The Build

I built this solo over a few weeks, nights and weekends. Here's the stack:

  • Frontend — React + TypeScript + Tailwind + shadcn/ui
  • Backend — FastAPI + Python
  • Database — SQLite (local, lightweight, no separate DB server)
  • Auth — PyJWT with encrypted vault at rest
  • Deployment — Docker + Docker Compose

The architecture is deliberately simple. No microservices. No Kubernetes. Just a clean monolith that you can run on a Raspberry Pi if you want.

The Security Pipeline (This is Where It Gets Interesting)

Here's the thing about building a password manager — you can't half-ass the security.

So I set up a full automated security scanning pipeline using GitHub Actions. Every single commit gets scanned by four tools:

🔑 Gitleaks — scans the entire git history for accidentally committed secrets. Because we've all been there.

🐍 Bandit — static analysis on the FastAPI backend. Caught a real finding during development — I was using SHA1 for the HIBP breach check and Bandit flagged it. Technically a false positive (HIBP requires SHA1) but it made me think harder about every crypto decision.

📦 pip-audit — checks Python dependencies against the OSV vulnerability database. Found 12 CVEs across 5 packages on the first run. python-jose was basically abandoned with unpatched vulnerabilities — migrated to PyJWT immediately.

🔍 Semgrep — full stack SAST across Python, React, TypeScript and Dockerfiles. First scan found that my container was running as root. Fixed it immediately.

Tengen Security Tests Status

This pipeline runs on every PR and every push to main. Nothing merges if the scans fail.

The JJK Moment

In Jujutsu Kaisen, cursed energy exists everywhere but most people can't see it. Only sorcerers can perceive and deal with the threats hiding in plain sight.

Security vulnerabilities are kind of like cursed spirits. They're hiding in your dependencies, your Dockerfile, your git history. Most developers can't see them — until it's too late.

Setting up these scanning tools is basically learning to use cursed energy perception. You start seeing threats everywhere. That python-jose CVE was just sitting there, invisible, until pip-audit revealed it.

HIBP Integration

One feature I'm really proud of — Tengen checks your passwords against the Have I Been Pwned database using the k-anonymity model.

Your actual password never leaves your machine. Only the first 5 characters of the SHA1 hash are sent to the API. HIBP returns all hashes starting with those 5 characters and we check the rest locally.

It's elegant, privacy-preserving, and genuinely useful.

What's Next

Tengen is early. Here's what's coming:

  • [ ] Browser extension
  • [ ] Mobile app
  • [ ] 2FA / TOTP support
  • [ ] Password sharing (encrypted)
  • [ ] CLI tool

Try It 

git clone https://github.com/smadabat1/Tengen
cd Tengen
docker-compose up
Enter fullscreen mode Exit fullscreen mode

That's it. Your self-hosted password manager is running at http://localhost:3000.

Final Thought

Sukuna said "I don't need allies." I disagree — I needed Claude Code, shadcn, FastAPI, and a lot of Stack Overflow.

But your passwords? Those don't need a cloud. They just need your machine.

⭐ If this resonates with you, drop a star on GitHub and check out the Product Hunt launch.

Built solo. Shipped with love. Secured with paranoia. 🔐

Tags: #opensource #security #webdev #selfhosted #python #react #indiehacker

Top comments (0)