CarryPass is a zero-knowledge password and credential manager built for offline use, privacy, and transparency.
In 2020, one of my social media accounts was hacked, locking me out and exposing a hard truth: my password habits were terrible. I relied on the same base password across sites, occasionally adding a “1” or an exclamation mark to meet requirements. After the breach, I turned to a popular password manager — only to learn a few years later that it had also been compromised. That’s when I decided to build CarryPass: a stateless password manager and secure sharing tool that doesn't store or remember anything. There’s no cloud, no database, no sync service — just deterministic, client-side cryptography. Your passwords are never saved; they’re generated on demand, using pure math in your browser. CarryPass is my answer to insecure habits, data breaches, and trust-by-default tools. It’s privacy-first, server-free, and built for peace of mind.
Most password managers rely on cloud sync, database storage, or browser extensions. CarryPass takes a different path: it never stores passwords at all. Instead, it calculates them on the fly, using a master password, service name, and your character type preferences.
This means there's no sync to set up, no database to breach. You can regenerate the same secure password from any device — even offline.
CarryPass uses a deterministic model combining Argon2id, PBKDF2, and AES-CTR to derive secure passwords. For shared credentials, it uses Argon2id, PBKDF2, and AES-GCM to encrypt vaults per user or team.
CarryPass supports secure credential sharing via team vaults and QR onboarding. Each team member can access only what they’ve been assigned — nothing more. TOTP verification is supported for extra protection.
Admins can prepare encrypted configs, assign members, and rotate credentials — all without accessing passwords themselves.
CarryPass implements full end-to-end encryption (E2EE) for all sensitive data, including password vaults, credentials, and team configurations. All encryption and decryption operations are performed exclusively on the user's device, using keys derived locally from user-provided passcodes or credentials.
Encrypted vaults may be stored locally or delivered via a server (including through service workers for offline use), but only in encrypted form. CarryPass servers and infrastructure never store or process plaintext data or encryption keys, and cannot access user vaults, passwords, or configurations at any time.
This architecture ensures that only the intended recipient, using their local device and passcode, can access the decrypted content — even if encrypted data is intercepted, exfiltrated, or hosted on third-party infrastructure.
CarryPass was designed to solve real privacy challenges — like using your password manager on a new device, in airplane mode, or on systems you don’t trust. It requires no backend and leaves nothing behind.
For detailed usage instructions and security design, see: