A secure local password manager with strong encryption
Project description
🔐 Secure Password Manager
A cross-platform vault that stores, audits, and rotates secrets entirely on your device. The application ships with both a rich CLI and a PyQt5 GUI, leverages modern cryptography, and is designed to integrate with upcoming browser extensions and automation services.
Feature Highlights
- End-to-end encryption with Fernet (AES-128 + HMAC) backed by PBKDF2-derived master keys and optional Argon2id/scrypt migration hooks.
- Dual interfaces: interactive terminal workflow (
password-manager) and a full desktop client (password-manager-gui). - Security automation including strength analysis, breach checks, duplicate detection, expirations, and actionable remediation guidance.
- Backup, restore, and export pipelines with integrity protection, versioned envelopes, and disaster-recovery tooling.
- Two-factor authentication (TOTP), clipboard hygiene controls, and planned OS-keyring / hardware token support.
- Extensible architecture intended for browser auto-fill bridges, background jobs, and plugin-defined workflows.
- Experimental browser bridge powered by FastAPI + uvicorn, issuing short-lived tokens to paired browser extensions over a localhost RPC channel.
- Flexible key management with a switchable master-password-derived mode, file-key fallback, and an interactive PBKDF2 benchmarking wizard that tunes iterations and salt size per device.
Quickstart
# 1. Create and activate an isolated environment
python3 -m venv .venv
source .venv/bin/activate
# 2. Install the application in editable mode
pip install -e .
# 3. Initialize the database and set a master password
password-manager --init
# 4. Launch CLI or GUI
password-manager
password-manager-gui
Tip: The first run generates
passwords.db,secret.key,crypto.salt,auth.json, and (if configured)totp_config.jsonin the working directory. Keep these files private and back them up using the provided tooling.
Key Management & KDF Tuning
- Switch modes: In the CLI, visit
Settings → Key management mode; in the GUI open theSettingstab and use the "Key Management Mode" card. Switching to the master-password-derived mode removessecret.keyand re-encrypts the vault using a key derived each unlock. - Benchmark PBKDF2: Run the "KDF tuning wizard" (CLI
Settings → KDF tuning wizard, GUISettingstab). The wizard measures the current CPU, recommends an iteration count for the target unlock time, and optionally rotates the salt size. - Apply new parameters: When accepting the recommendation, the tool re-hashes
auth.json, re-wraps any protectedsecret.key, and—if password-derived mode is active—re-encrypts every entry so the new parameters take effect immediately. - Configuration storage: Selected mode, iteration targets, and salt metadata live in
settings.jsonandcrypto.salt. Backups include these files so restored environments preserve your hardening choices.
Browser Bridge (Experimental)
The local browser bridge service unlocks auto-fill and audit integrations with upcoming browser extensions. It is disabled by default; enable it from either interface:
- CLI →
Settings > Browser Bridgeto toggle auto-start, launch/stop the service, and manage tokens. - GUI →
Settingstab → "Browser Bridge" panel to flip the enable checkbox, monitor status, and generate pairing codes.
Once enabled, the FastAPI service binds to http://127.0.0.1:43110 (configurable via settings.json) and exposes the endpoints documented in docs/browser-extension-ipc.md. Pair new extensions by generating a 6-digit code; issued tokens are stored in browser_bridge_tokens.json under the config directory and can be revoked at any time from the same menus.
When the feature is marked enabled, the CLI/GUI automatically starts the service on launch and shuts it down cleanly on exit.
Documentation Map
| Audience | Read This |
|---|---|
| Everyone | docs/README.md |
| New users | docs/getting-started.md, docs/user-manual.md |
| Security reviewers | docs/security-whitepaper.md |
| Developers | docs/architecture-reference.md, docs/contributing.md |
| Operators & SRE | docs/operations-runbook.md, docs/background-jobs-observability.md |
| Builders | docs/build-release-handbook.md |
| Future integrations | docs/browser-extension-ipc.md |
| Roadmap | docs/roadmap.md & CHANGELOG.md |
Support & Feedback
- File issues or feature requests via GitHub.
- Use the
logs/password_manager.logfile along withdocs/operations-runbook.mdwhen reporting problems. - Security disclosures should follow the responsible reporting process described in
docs/security-whitepaper.md.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secure_password_manager-1.8.4.tar.gz.
File metadata
- Download URL: secure_password_manager-1.8.4.tar.gz
- Upload date:
- Size: 63.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b0d0ce72882796a105b09eeb82ac6c7cbfec205a1cf8f926a73bcf606c36f020
|
|
| MD5 |
b4143e0803b25df2d6ba3fe634355a49
|
|
| BLAKE2b-256 |
619d4dad05cbe6506c2fc33a242284cb8511c141d60831228aa3c74755c16014
|
File details
Details for the file secure_password_manager-1.8.4-py3-none-any.whl.
File metadata
- Download URL: secure_password_manager-1.8.4-py3-none-any.whl
- Upload date:
- Size: 63.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cb707441e44a7ca38a15f25c218895f54a366c8664f09039c6a8e35cb4e5ef45
|
|
| MD5 |
92ac8685e9e83653156bd8b7e2c40986
|
|
| BLAKE2b-256 |
c33607c1ea73c3b86e7ae97eb9cba49ff1cfd9439e802619e0d370d92552601d
|
