Overview
OfflinePass is a deterministic password manager that turns one Master Key
into a unique, secure password for every site — entirely in your browser.
No server. No vault. No sync. Lose your device and you can recover every
password on a fresh install just by remembering one phrase.
──────────────────────────────────────────
THE WHOLE ALGORITHM, ON ONE SCREEN
──────────────────────────────────────────
msg = "github.com" + "|" + "you@example.com" + "|2026|0"
mac = hmac-sha256(masterKey, msg)
password = base58(mac).slice(0, 16)
// → 0$87booSaeaKYnhgEq
That's it. Three inputs (host, identity, year), one HMAC-SHA256, base58
encoded and truncated to 16 characters. Same Master Key + same site +
same identity always produces the same password — on any device, on
any version, forever.
──────────────────────────────────────────
WHY OFFLINEPASS
──────────────────────────────────────────
• No server, ever
Every password is computed locally. Open the network tab and watch —
there are zero requests after the popup loads.
• Nothing to back up
No vault, no sync, no database. The only secret is your Master Key,
and only you remember it.
• Deterministic
Forget syncing across devices. Type the same Master Key on a fresh
install and you instantly recover every password.
• Audit the math, not us
HMAC-SHA256 + Base58. ~94 bits of entropy in the truncated output.
The whole thing is a few lines of TypeScript you can read in one
sitting. Source on GitHub: github.com/sireto/offlinepass
• Zero tracking
No analytics, no fingerprinting, no telemetry, no cookies you didn't
ask for. Apache 2.0 license, free for any use.
──────────────────────────────────────────
HOW TO USE IT
──────────────────────────────────────────
1. Click the OfflinePass icon (or press Ctrl/Cmd+Shift+F).
2. Type your Master Key.
3. The current site is filled in automatically; type your username.
4. The 16-character password appears in the result card. Click copy.
That's the whole flow. Same site, same identity, same Master Key →
the same password every time.
──────────────────────────────────────────
OPTIONAL: SAVE YOUR MASTER KEY WITH A PIN
──────────────────────────────────────────
If you don't want to retype your Master Key on every visit, you can
encrypt it locally with a PIN:
• Key derivation: PBKDF2-HMAC-SHA256, 250,000 iterations, 16-byte
random per-MSK salt.
• Cipher: AES-GCM with a 12-byte random IV. The auth tag is what tells
us a wrong PIN was entered — there is no separate hash to crib
against.
• Storage: localStorage on this device only. Nothing is synced or sent
over the network.
Enter the wrong PIN and the GCM auth tag fails — the ciphertext is
useless without it. PINs are short, so a long PIN (or no PIN at all)
is stronger; we explain the trade-off in SECURITY.md.
──────────────────────────────────────────
PERMISSIONS
──────────────────────────────────────────
This extension requests one permission:
• activeTab — used only to read the URL of the tab where you opened
the popup, so OfflinePass can pre-fill the host field. The URL never
leaves your browser.
──────────────────────────────────────────
PRIVACY
──────────────────────────────────────────
OfflinePass collects nothing. There is no analytics endpoint, no
fingerprinting, and no remote configuration. The extension makes zero
network requests after install. The full source is published under
Apache 2.0 — verify it yourself.
──────────────────────────────────────────
LINKS
──────────────────────────────────────────
• Source code: https://github.com/sireto/offlinepass
• Web app: https://offlinepass.com
• Security policy: https://github.com/sireto/offlinepass/blob/main/SECURITY.md
• License: Apache 2.0
Tags
Privacy Practices
🔐 Security Analysis
This extension hasn't been security-scanned yet.