Most people use password managers every day.
Very few understand how they actually keep passwords secure.
In this article, I break down how real, production-grade password managers work — the same core ideas used by tools like 1Password or Bitwarden — by walking through a project I built called Passwuts.
🎥 Full video walkthrough:
👉 https://youtu.be/G1m7K7ZG1M0
Why I Built Passwuts
Password reuse is one of the biggest security risks today.
When a single website is breached, reused passwords expose users across every service they use.
Passwuts solves this by:
This is the same security philosophy used by serious password managers.
High-Level Architecture (Zero-Knowledge Model)
Passwuts follows a zero-knowledge, client-first encryption model:
Even if the backend is compromised, passwords remain safe.
How Encryption Works (Step-by-Step)
At no point does plaintext leave the browser.
Vault Verification (Without Storing Passwords)
A common problem:
How do you verify the master password without storing it?
Passwuts uses a verifier pattern:
✅ Secure
✅ Zero-knowledge
✅ No password storage
Browser Extension Architecture
The browser extension reuses the exact same crypto layer as the web app:
This keeps behavior consistent across platforms.
What This Project Taught Me
Building a password manager taught me some hard lessons:
Final Thoughts
Password managers are not magic.
They are carefully engineered systems built on:
Understanding how they work makes you:
If you enjoyed this breakdown, watch the full video walkthrough 👇
🎥 https://youtu.be/G1m7K7ZG1M0
More...
Very few understand how they actually keep passwords secure.
In this article, I break down how real, production-grade password managers work — the same core ideas used by tools like 1Password or Bitwarden — by walking through a project I built called Passwuts.
🎥 Full video walkthrough:
👉 https://youtu.be/G1m7K7ZG1M0
Why I Built Passwuts
Password reuse is one of the biggest security risks today.
When a single website is breached, reused passwords expose users across every service they use.
Passwuts solves this by:
- Enforcing strong, unique passwords
- Using client-side encryption
- Ensuring the server never sees plaintext credentials
This is the same security philosophy used by serious password managers.
High-Level Architecture (Zero-Knowledge Model)
Passwuts follows a zero-knowledge, client-first encryption model:
- 🔐 Master password never leaves the client
- 🔑 Encryption keys are derived locally using PBKDF2
- 🔒 Passwords are encrypted using AES-GCM
- 🗄️ Server stores only ciphertext + IV
Even if the backend is compromised, passwords remain safe.
How Encryption Works (Step-by-Step)
- User creates a master password
- A strong encryption key is derived using PBKDF2
- Inputs: master password + user UID (as salt)
- Passwords are encrypted using AES-GCM
- Each encryption uses a random IV
- Only encrypted data is stored in Firestore
At no point does plaintext leave the browser.
Vault Verification (Without Storing Passwords)
A common problem:
How do you verify the master password without storing it?
Passwuts uses a verifier pattern:
- A known string ("vault-check") is encrypted
- Stored in Firestore as vault metadata
- On unlock:
- Client decrypts it locally
- If it decrypts correctly → password is valid
✅ Secure
✅ Zero-knowledge
✅ No password storage
Browser Extension Architecture
The browser extension reuses the exact same crypto layer as the web app:
- Firebase authentication
- Shared internal crypto package (@pm/crypto)
- Client-side encryption only
- No secret logic in the backend
This keeps behavior consistent across platforms.
What This Project Taught Me
Building a password manager taught me some hard lessons:
- 🔍 Crypto failures usually come from misuse, not math
- 🔄 IV / nonce management is critical
- 🧠 Security UX matters as much as cryptography
- 🔐 Zero-knowledge systems require discipline everywhere
Final Thoughts
Password managers are not magic.
They are carefully engineered systems built on:
- Key derivation
- Authenticated encryption
- Secure client-side architecture
Understanding how they work makes you:
- A better engineer
- A safer user
If you enjoyed this breakdown, watch the full video walkthrough 👇
🎥 https://youtu.be/G1m7K7ZG1M0
More...