Hi PrivacyGuides!
I’m excited to introduce CarryPass, a privacy-first, deterministic password manager and credential distribution tool built for offline use, zero trust in infrastructure, and total user control.
CarryPass isn’t just another password vault. It’s a stateless web app that works fully offline, runs entirely in the browser, and never stores or transmits any secrets. There’s no backend, no tracking, and no accounts. Everything happens client-side using strong cryptography like Argon2id, PBKDF2, and AES-GCM, making CarryPass resilient even in air-gapped or high-compliance environments.
I’m Zoltán, the creator of CarryPass and a long-time privacy advocate. This project was born from personal experience: after being locked out of a hacked account in 2020 and later seeing the cloud-based password manager I used get breached, I realized I could no longer trust hosted infrastructure with my secrets. I built CarryPass to eliminate the need for trust entirely.
Over the past two years, I’ve worked to create a tool that gives individuals and teams cryptographically strong password generation and vault sharing — all without needing a server or exposing anything online.
Key Features
- Deterministic Passwords: Strong passwords generated from user input using Argon2id + PBKDF2 + AES-CTR. Nothing is stored.
- Offline-First Vaults: Team and member-specific encrypted credential sets are distributed as static JSON files — decryptable only client-side
- Optional Service Worker Delivery: Credentials can also be distributed using a Service Worker — enabling secure, offline-capable delivery of encrypted vaults within the app itself, without any cloud sync or backend server.
- QR & Air-Gapped Sharing: Secure secrets can be transferred via QR between devices — no pairing, no internet, no account.
- TOTP-Backed Unlock: Access passwords paired with a TOTP system provide vault access without relying on external identity providers.
- Team Role Separation: Admins can maintain team vaults, while members can only view what they’re assigned.
- White-Label Ready: Small teams and user groups can rebrand CarryPass with algorithm separation, ensuring cryptographic uniqueness per deployment.
Philosophy
No telemetry. No sync. No server. No trust assumptions.
CarryPass is cryptography in your browser — nothing more, nothing less.
All cryptographic operations take place locally, and every aspect of the system is deterministic. You can inspect, audit, and recompile your own version. Each white-label build can get a tweak to the generator algorithm to prevent overlap across organizations.
Try It Out
- Demo: https://carrypass.net
- Source Code: https://github.com/racz-zoltan/racz-zoltan.github.io
Roadmap
My short-term focus is on:
- Finalizing TOTP secret transfer via keyboard-based grid input, without ever revealing the secret — even to the user
- Publishing testable vault + password cracking challenges (for cryptanalysis by the community)
- More language support (currently English/Hungarian available)
Planned for later:
- Offline-first desktop/mobile app (possibly via Tauri)
- Editor-submitted vault updates with admin-side validation logs
- Full vault changelog audit view for transparency and governance
Feedback Welcome
-
What would you want from a truly stateless password-sharing tool?
-
How can I improve the onboarding flow or documentation for privacy-first users?
I’d love your thoughts, questions, and critiques — whether you’re a privacy veteran, developer, or just curious.
Thanks for reading!
If CarryPass feels like something that belongs in your privacy toolkit, I’d really appreciate your thoughts or suggestions.
Zoltán