Open source decentralized maximum-security password manager

Two-factor security

Access is protected by both a master passphrase and a private key file

No password database

No need to synchronize or backup a database

Decentralized

Open source and not tied to any service provider

How it works

Entropass generates site passwords on the fly using a hashing algorithm based on your master passphrase, private key file, and the domain of the site. The private key is saved in your browser, and the domain is automatically populated, so all you have to do is type in your master passphrase each time you login to a site.

Entropass is automatically safe against domain spoofing attacks; if there is a typo in the domain you are visiting, it will generate a completely different password than the one for the domain without the typo, so the spoof domain never gets your real password.

An open standard

Everyone is free to use the Entropass password generation algorithm in their commercial or non-commercial software. It is based entirely on standardized cryptographic technologies that are commonly available in libraries across many languages. This is the pseudocode for the core algorithm:
secret = passphrase + resetCount + sha512(privateKey)
password = b85encode(pbkdf2_hmac('sha512', secret, salt=domain, rounds=100))

The full Python implemenation is just 13 lines of code with no dependencies and is available here.

Comparison with LastPass and KeePass


Pros vs. LastPass
  • No need to trust closed source code
Pros vs. Keepass
  • No password database to backup and sync between devices
Pros vs. Both
  • Impossible to brute force: the private key is like adding 80 extra characters to your password
Cons
  • Since Entropass generates passwords for you, you will have to reset each of your website passwords to use Entropass
  • If your master passphrase or private key is compromised, you will have to reset all of your site passwords

FAQ

What if I have to reset a site password?

You can increment the reset count to generate a new password for that site.

What is a private key file?

You can use any file as a private key, as long as it has never been sent over the internet or shared with anyone else. For example, you could take a picture of yourself or just type a lot of random characters into a text document. Another option is to write a simple program and use the program's output as your private key. The advantage of this is that you can reconstruct your private key if you ever lose all copies of it, as long as you remember how to write the program.