Vaultless — stateless password manager

master password

site / use-case

lowercase, no spaces — case-insensitive by design

username / email (optional — adds extra uniqueness)

options

length

version (increment to change password)

uppercase (A–Z)

lowercase (a–z)

digits (0–9)

symbols (!@#…)

remember options for this site

alias (optional — shown in saved list only, never used for derivation)

about vaultless

Vaultless never stores passwords. Each password is derived on-the-fly from your master password + site + username using PBKDF2-SHA256 (1 million iterations). The same inputs always produce the same output.

Site names are normalised (lowercase, no spaces) before hashing — capitalisation and spacing are always ignored.

The settings file is safe to store publicly (like a KeePass file). Each site entry is encrypted individually with AES-GCM-256 using a key derived from your master password (1.5 million PBKDF2 iterations). Site names, aliases, and config fields like length and character classes are never stored in plaintext — not in the browser nor in the export file.

Inspired by LessPass.