CarryPass — Stateless Password & Credential Manager with Zero Cloud Dependency

Hi PrivacyGuides!

I’m excited to introduce CarryPass, a privacy-first, deterministic password manager and credential distribution tool built for offline use, zero trust in infrastructure, and total user control.

CarryPass isn’t just another password vault. It’s a stateless web app that works fully offline, runs entirely in the browser, and never stores or transmits any secrets. There’s no backend, no tracking, and no accounts. Everything happens client-side using strong cryptography like Argon2id, PBKDF2, and AES-GCM, making CarryPass resilient even in air-gapped or high-compliance environments.

I’m Zoltán, the creator of CarryPass and a long-time privacy advocate. This project was born from personal experience: after being locked out of a hacked account in 2020 and later seeing the cloud-based password manager I used get breached, I realized I could no longer trust hosted infrastructure with my secrets. I built CarryPass to eliminate the need for trust entirely.

Over the past two years, I’ve worked to create a tool that gives individuals and teams cryptographically strong password generation and vault sharing — all without needing a server or exposing anything online.

Key Features

• Deterministic Passwords: Strong passwords generated from user input using Argon2id + PBKDF2 + AES-CTR. Nothing is stored.
• Offline-First Vaults: Team and member-specific encrypted credential sets are distributed as static JSON files — decryptable only client-side
• Optional Service Worker Delivery: Credentials can also be distributed using a Service Worker — enabling secure, offline-capable delivery of encrypted vaults within the app itself, without any cloud sync or backend server.
• QR & Air-Gapped Sharing: Secure secrets can be transferred via QR between devices — no pairing, no internet, no account.
• TOTP-Backed Unlock: Access passwords paired with a TOTP system provide vault access without relying on external identity providers.
• Team Role Separation: Admins can maintain team vaults, while members can only view what they’re assigned.
• White-Label Ready: Small teams and user groups can rebrand CarryPass with algorithm separation, ensuring cryptographic uniqueness per deployment.

Philosophy

No telemetry. No sync. No server. No trust assumptions.
CarryPass is cryptography in your browser — nothing more, nothing less.

All cryptographic operations take place locally, and every aspect of the system is deterministic. You can inspect, audit, and recompile your own version. Each white-label build can get a tweak to the generator algorithm to prevent overlap across organizations.

Try It Out

• Demo: https://carrypass.net
• Source Code: https://github.com/racz-zoltan/racz-zoltan.github.io

Roadmap

My short-term focus is on:

• Finalizing TOTP secret transfer via keyboard-based grid input, without ever revealing the secret — even to the user
• Publishing testable vault + password cracking challenges (for cryptanalysis by the community)
• More language support (currently English/Hungarian available)

Planned for later:

• Offline-first desktop/mobile app (possibly via Tauri)
• Editor-submitted vault updates with admin-side validation logs
• Full vault changelog audit view for transparency and governance

Feedback Welcome

• What would you want from a truly stateless password-sharing tool?

• How can I improve the onboarding flow or documentation for privacy-first users?

I’d love your thoughts, questions, and critiques — whether you’re a privacy veteran, developer, or just curious.

Thanks for reading!
If CarryPass feels like something that belongs in your privacy toolkit, I’d really appreciate your thoughts or suggestions.

Zoltán

Interesting!
What if I needed to change a password for a specific website? How does CarryPass tackle this challenge of stateless password managers?

Great question! Thank you for bringing it up. That’s exactly the kind of challenge CarryPass was designed to handle.

To make password rotation and revocation easier, CarryPass doesn’t just generate one password, it actually produces six deterministic variants from the same input. This is made possible by using AES in CTR (Counter) mode, which allows deriving a stream of random-looking bytes from a deterministic seed, and then slicing it into multiple independent password outputs.

In addition, the more traditional approach is still supported: you can slightly modify an input (like the service name), or more conveniently in CarryPass, simply increase/decrease the “Security” value, which changes the key derivation process and results in a completely different (but still deterministic) password.

So whether you want structured rotation, or intentional input tweaking (e.g. bumping the ‘Security’ counter), CarryPass keeps you in control.

Update: CarryPass was recently added to Pluja’s awesome-privacy list — a curated list of vetted privacy tools!

I’m really honored to see CarryPass recognized there as a privacy-respecting, stateless password manager.

This reinforces the vision behind CarryPass: no cloud storage, no syncing — just secure, deterministic password generation and encrypted vault handling, all client-side.

Thanks again to everyone here for the feedback and support so far!

Great.
Is it supposed to be an alternative go KeePass ?
If I understood correctly, the main problem compared to Bitwarden is that it is stored locally ?

Are backups avalaible ?

Even after reading your website, I am not sure. To understand what is your product.

You say it is a password manager but also say “Passwords are never stored — they are safely generated when needed, and can be recreated on any device.” I don’t understand.

The difference to KeePass, for example, is that KeePass stores your passwords encrypted on your device, but CarryPass does not store anything on your device and derives your passwords each time from your input (service name, master password, strength parameters).

So instead of using your master password to decrypt your KeePass file, CarryPass generates your passwords every time. Given the same input, you will always get the same generated/derived password.

You don’t need to back up an encrypted file like in KeePass, but you still need to remember the inputs you used to derive your passwords (service name, master password, strength parameters).

You’re absolutely right that CarryPass doesn’t work like traditional password managers such as Bitwarden or KeePass, but it is a password manager, just with a completely different design philosophy.

CarryPass is a stateless password manager
It doesn’t store your passwords, not locally, not in the cloud, not even encrypted. Instead, it uses deterministic password generation: enter the same inputs (e.g.: website/service name + master password + settings), and it generates the same strong password every time. No sync or storage, just pure math.

No syncing, no backups needed
Because CarryPass doesn’t store anything, there’s nothing to sync or back up. You can regenerate your passwords on any device, even offline, by simply re-entering your master password, the service name and settings.

Is it an alternative to KeePass?
Not exactly. It’s an alternative approach. KeePass stores encrypted password files. CarryPass skips storage of passwords entirely. If you want to avoid the hassle and risk of managing files, CarryPass offers a simpler, stateless alternative.

Compared to Bitwarden?
Bitwarden is a solid cloud-based manager, but it requires trust in its infrastructure since your vault lives on their servers. CarryPass removes that need entirely: no servers, no syncing, no data ever leaves your device. Everything is generated in real time, in your browser.

Try it yourself right in your browser
The demo on the site isn’t just a preview, it’s fully usable. You can generate passwords, adjust settings, and see how it works. It runs fully offline, and nothing you enter is ever sent or stored by default.

Installable as an app
CarryPass is a Progressive Web App (PWA), so you can install it on your phone, tablet, or desktop just like a native app. Once installed, it works offline with full functionality.

Thanks! @bbubjlaftyrcmr @any1 it is much clearer now for me.
You should not assume that the public knows what “stateless” and “deterministic” means.
Maybe this is intentional but what you explained in your last message @bbubjlaftyrcmr is not explained at all in the landing page in https://carrypass.net/

Note that the demo does not work by default on Vanadium because JIT is disabled by default.

First impression : wow, this kind of feel like magic!! this is indeed VERY different than Bitwarden.

However I am not sure it is ready to replace traditional PM because there is no autofill. Username generator is also less customizable, etc.

Also I can’t get a list of all my passwords right this is normal ?

And btw you need to type your password EVERY time you want to see a password right ? Very inconvenient…

The maths are sound but I feel this is not what I want from a password manager right now.

Yes, because that information is never stored anywhere. Nothing is ever stored anywhere in a stateless program.

Looking at the demo app, it seems that it’s possible to locally store some metadata about the services you have passwords for.

Update (June 2025)
A massive new breach just leaked 16 billion passwords, including fresh credentials for major services like Apple, Google, Facebook, and more.

This reinforces why I built CarryPass around a stateless model:
If there’s nothing stored, there’s nothing to leak.

Passwords are generated locally, deterministically, and on-demand. No cloud, no sync, no tracking — and now more than ever, no leaks.

(reposting here)

I wouldn’t assume so, but would it be possible for this type of model to support passkeys?

I would also assume not. That would require a fixed private key than can be deterministically generated from the input master passphrase.

I’ve been reflecting on something Davey Winder (the article’s author) said:

“Password compromise is no joke… it leads to account compromise and that leads to, well, the compromise of most everything you hold dear in this technological-centric world we live in.”

That’s why I built CarryPass.
It doesn’t claim to solve all problems (servers still need to hash and protect credentials properly) but it reduces your personal risk surface:

• No stored vaults = no vault theft

• No sync = no cloud-side compromise

• Deterministic password generation = no password reuse ever

Every password is unique to the service. There’s nothing to sync, nothing to store, and nothing to steal, and that’s one less thing to compromise in a breach like this.

Great question! CarryPass isn’t made to work with passkeys, because passkeys need to be stored somewhere on your device or in the cloud.

CarryPass doesn’t store anything — that’s kind of the whole point. It just re-creates your passwords when you need them, so there’s nothing to steal or sync.

So while both try to make logging in safer, they work in totally different ways.

What is the recommended approach when one of your passwords is leaked? Creating a new master password and resetting every single password for every service is not ideal. Would changing the security level for the compromised service be the right approach while keeping the same master password?

Great question! You’re absolutely right that resetting everything isn’t ideal.

In CarryPass, each service gets six unique passwords from the same input settings — so if one of them gets leaked, you can just switch to the next one in the list.

If you ever use up all six (for example, after multiple rotations), you can simply increase the “security” level setting for that service. This gives you a brand new set of six deterministic passwords without changing your master password or affecting other services.

So you don’t need to rotate everything or start over. Just move to the next password, or bump the strength if needed. That’s part of the power of stateless design: no reuse, no central vault, no cascade risk.

Idea seems good, but I am not sure if it can actually replace my password manager.

Correct me if I am wrong. To make this work, first I have to change all of my account passwords to the CP’s new password, and that is generated according to the AppID. Which means, at first step, I have to change hundreds of accounts. Then comes the next pain point. If want to change an account password, I have to create a new AppID, and I have to remember it. Example for gmail,

• gmail.com > original
• gmail.com#2025
• gmail.com#2025new
• gmail.com#2025totallynew
• gmail.com#omg-final
• gmail.com#reallymon
• gmail.com#whatisgoingon

If my understanding is correct, then this might be good for very few sites, which doesn’t need password changes but requires complex passwords and security, but for the regular usage I don’t think it can replace a regular password manager.

Thanks for the thoughtful feedback, and let me clarify a key point, since this might help:

In CarryPass, the Application ID is just a local nickname or passphrase used to personalize the app to your browser or device. It helps encrypt your settings and any locally stored data, but it’s not involved in generating passwords at all.

The actual passwords are generated using your Master Password + Service name + Security level (like “gmail.com”, Security 101). So for Gmail, if you ever need to rotate, you don’t need to keep changing the name to gmail.com#somethingnewIhopefinal. You can:

- Simply pick the next password from the 6 deterministic variants CarryPass already gives you

- Or bump up the security level slightly (e.g., from 101 to 102) to get a fresh set of 6, so no need to invent new labels

So yes, initial migration takes some effort, but after that, password changes are quick, controlled, and private — with no syncing, no vaults, and no tracking.

It’s definitely a different mindset. CarryPass doesn’t aim to replace every feature of a regular password manager. It’s built for people who prioritize privacy, control, and zero trust in infrastructure.

Some users run it alongside a vault-based manager, others go all in — and of course, some may find that it’s not for them at all. That’s totally fine. CarryPass isn’t trying to be everything. Just a privacy-first, no-storage alternative for those who value control over convenience.

My English isn’t that good so I may not understand everything, but what if someone else, by any chance, also using CarryPass, has the same master password as you? Isn’t there a risk that it generates to him your passwords?