Building a Secure Password Manager

Building a Secure Password Manager in Python (AES-256, Tkinter)
Python 3.9+
Security: AES-256-GCM

Overview

This project is a secure desktop password manager built using Python and Tkinter, designed to store and manage credentials locally using strong encryption and secure UX patterns.

The goal was to design the application with security-first principles, similar to real-world password managers, while keeping the implementation understandable and auditable.
GitHub Repo: [🔗 GitHub Repo: https://github.com/VibhavChennamadhava/Password_manager]

Core Design

High-level flow:

1. Master Password
2. PBKDF2 Key Derivation
3. AES-256-GCM Encryption
4. Encrypted Vault File (vault.enc)

Key rules enforced:

• Master password is never stored
• Passwords are never written to disk in plaintext
• Vault is decrypted only in memory
• Passwords are never auto-displayed

Cryptography Implementation

Key Derivation

• PBKDF2 (SHA-256) with a randomly generated salt
• High iteration count to slow brute-force attacks
• Produces a 256-bit key for encryption

Encryption

• AES-256-GCM for authenticated encryption
• Provides confidentiality and integrity
• Any tampering with the vault file causes decryption to fail

The encrypted vault is stored locally as a single file named vault.enc.

Vault Design

• Vault is stored as encrypted JSON
• Exists only in memory after login
• Entire vault is encrypted as one unit
• No partial or plaintext storage

{
"entries": [
{
"site": "facebook",
"username": "testuser",
"password": "secret123"
}
]
}


User Interface (Tkinter)

The UI was built using Tkinter for simplicity and security.

Screens:

• Login Screen – Master password authentication
• Vault Screen – Displays only site and username
• Add Password Screen – Secure input with toggle

Passwords are never shown by default.

Show / Hide Password Toggle

While adding a new password, users can toggle visibility to verify input:

• Password masked by default
• Toggle affects only input field
• No exposure in the main vault view

This prevents shoulder surfing while keeping usability intact.

Viewing Passwords (Explicit Action Only)

Passwords are revealed only when the user:

1. Selects an entry
2. Clicks View Password

This ensures:

• No accidental exposure
• Clear user intent
• Secure UX behavior aligned with real password managers

One-Click Copy and Auto-Clear Clipboard

Instead of forcing users to view passwords:

• Copy Password button copies the password to clipboard
• Clipboard auto-clears after 15 seconds

This reduces screen exposure and mitigates clipboard leakage risks.

Security Highlights

• AES-256-GCM encryption
• PBKDF2 key derivation
• No plaintext passwords on disk
• Decryption only in memory
• No logging of secrets
• Clipboard auto-clear
• Explicit password access

This design mirrors security patterns used by tools like KeePass and Bitwarden.

Project Structure

PasswordManager

• password_manager.py (encryption and vault logic)
• ui.py (Tkinter UI)
• vault.enc (encrypted vault, auto-created)
• salt.bin (cryptographic salt)
• screenshots/
• README.md

PasswordManager UI:
🔐 Login Screen
Secure master password authentication to unlock the encrypted vault.

➕ Add New Password
Add website credentials with a secure password input and show/hide toggle.

Vault View
View saved accounts, securely retrieve passwords, or copy them with auto-clear clipboard protection.

It serves as a practical example of applying cryptographic fundamentals to a real desktop application.

GitHub Repo: [🔗 GitHub Repo: https://github.com/VibhavChennamadhava/Password_manager]