Password Vault

Deterministic passwords derived from a VerusID spending key. No master password, no database to breach — just pure cryptographic derivation.

Live Demo

Select a vault entry to inspect the derivation chain

How It Works

🔑

1. Wallet Secret

Your VerusID spending key signs a fixed message. The resulting signature is hashed to produce a stable wallet secret that never leaves your device.

🔀

2. HMAC Derivation

HMAC-SHA256 combines the wallet secret with a site-specific label (site name + counter) to derive a unique, per-site key. Changing the counter rotates the password.

🔒

3. Password Encoding

The derived key is encoded to the site's charset profile (full, alphanumeric, or PIN) and trimmed to the requested length. Deterministic and reproducible every time.

Key Features

No Master Password

Your VerusID spending key is the only secret. No additional master password to remember, forget, or have phished.

No Server Breach Risk

Passwords are derived on demand, client-side. The vault stores only metadata (site, username, charset, length) — never the passwords themselves.

Trivial Rotation

Increment the counter for any entry and a completely new password is derived. No complex migration — just bump and re-register.

Cross-Device Sync

Vault metadata can sync anywhere freely. As long as you can sign with your VerusID on the new device, all passwords regenerate identically.

Vault Entry Schema