password-manager.js
is a minimalistic password manager. It can encrypt and decrypt passwords (or other text) using AES-256. Because it is written in Javascript, the code runs in your browser and does not send your data to any servers! But don't take my word for it: Check the source code yourself. It is only 50 lines long ;)
Because password-manager.js
uses opengpg.js under the hood it is compatible with other tools, which support the OpenPGP standard (like GnuPG). You can decrypt a file encrypted by password-manager.js
with GnuPG
using this command: gpg --no-symkey-cache -o decrypted.txt -d passwords.pgp.asc
(you will be prompted for your master password).
- It works on all devices (if they can install a browser).
- It uses well-established standards: AES-256 and OpenPGP.
- It is prepared for the future: AES-256 is considered quantum resistant.
- It has a single dependency, which is being actively developed and has been audited for security: opengpg.js.
- It is simple: 50 lines of Javascript code plus boilerplate HTML and CSS.
- It is small: 1.5 MB including the non-minified dependency code.
- It is portable: Just copy the repository anywhere you want.
To encrypt your passwords:
- Open
index.html
. - Type your passwords (or other text) into the large text box.
- Type a secure master password (>22 characters; letters, numbers and symbols) into the password field.
- Click "Encrypt & download".
- Store the encrypted file on your computer or anywhere in the cloud.
To read your passwords at a later time:
- Open
index.html
. - Click "Browse..." and choose the encrypted file.
- Type the master password into the password field.
- Click "Decrypt".
Some browsers on certain operating systems (e.g. Chrome on Android) will not allow loading Javascript or CSS scripts when the html file is opened from the local storage. Instead, the html file must be served via a web server. Feel free to serve password-manager.js
from your own web server or use this link: https://pwm.benjamin-portner.de.
password-manager.js
is merely a graphical user interface. All the cryptography is handled by opengpg.js (which in turn uses the Web Crypto API if your browser is not completely out-dated). openpgp.js
is maintained by Proton Mail and has undergone two security audits. I personally consider it safe for the use case of storing passwords (when using a secure master password!).
This project has not been audited for security. I am not a security researcher and although I am using password-manager.js
myself, there might be security issues with the code in this project or its dependencies. Use at your own risk! In any case, using password-manager.js
with an outdated browser is heavily discouraged and can lead to stolen credentials. Keep your browser up to date!
Make sure to keep a copy of your master password in a secure place. Neither your master password, nor the entered clear text, nor the encrypted data will be sent to any servers. Data WILL be permanently lost if you lose your master password.