software

Building a Secure Password Manager

Published: (January 3, 2026 at 01:36 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Overview

This project is a secure desktop password manager built using Python and Tkinter. It stores and manages credentials locally with strong encryption and secure UX patterns. The design follows security‑first principles similar to real‑world password managers while remaining understandable and auditable.

Core Design

High‑level flow

  • Master Password
  • PBKDF2 Key Derivation
  • AES‑256‑GCM Encryption
  • Encrypted Vault File (vault.enc)

Key rules enforced

  • The master password is never stored.
  • Passwords are never written to disk in plaintext.
  • The vault is decrypted only in memory.
  • Passwords are never auto‑displayed.

Cryptography Implementation

Key Derivation

  • PBKDF2 (SHA‑256) with a randomly generated salt.
  • High iteration count to slow brute‑force attacks.
  • Produces a 256‑bit key for encryption.

Encryption

  • AES‑256‑GCM for authenticated encryption, providing confidentiality and integrity.
  • Any tampering with the vault file causes decryption to fail.
  • The encrypted vault is stored locally as a single file named vault.enc.

Vault Design

  • Stored as encrypted JSON.
  • Exists only in memory after login.
  • The entire vault is encrypted as one unit; no partial or plaintext storage.

User Interface (Tkinter)

Screens

  • Login Screen – Master password authentication.
  • Vault Screen – Displays only site and username.
  • Add Password Screen – Secure input with toggle.

Show / Hide Password Toggle

  • Passwords are masked by default.
  • Users can toggle visibility while entering a new password; the toggle affects only the input field and does not expose passwords in the main vault view.

Viewing Passwords (Explicit Action Only)

Passwords are revealed only when the user:

  1. Selects an entry.
  2. Clicks View Password.

This ensures no accidental exposure and requires clear user intent, mirroring secure UX behavior of tools like KeePass and Bitwarden.

One‑Click Copy and Auto‑Clear Clipboard

  • Copy Password button copies the password to the clipboard.
  • The clipboard auto‑clears after 15 seconds, reducing screen exposure and mitigating clipboard leakage risks.

Security Highlights

  • AES‑256‑GCM encryption.
  • PBKDF2 key derivation.
  • No plaintext passwords on disk.
  • Decryption performed only in memory.
  • No logging of secrets.
  • Clipboard auto‑clear.
  • Explicit password access.

Project Structure

PasswordManager/
├── password_manager.py   # Encryption and vault logic
├── ui.py                  # Tkinter UI
├── vault.enc              # Encrypted vault (auto‑created)
├── salt.bin               # Cryptographic salt
├── screenshots/           # Example UI screenshots
└── README.md

Repository

🔗 GitHub Repo

Back to Blog

Related posts

Read more »

Decorative Cryptography

Article URL: https://www.dlp.rip/decorative-cryptography Comments URL: https://news.ycombinator.com/item?id=46496494 Points: 24 Comments: 3...