root `WRITEUP` DBLess
DBLess A hash-based, database-less password manager `2024-03-27` Project Readme • Project Files • GitHub Repo • dbless.py A description of the DBLess algorithm can be found in the project’s readme. The core idea is to hash together a master password and some metadata that uniquely identifies an account to be logged into, then use the digest as the account password. The actual DBLess algorithm encodes the SHA-256 digest in Ascii85 for compactness. The implementations also feature a master password checksum printout for peace of mind. I wrap it all in a shell alias that hashes in a secret token for salting and copies generated passwords to my clipboard. In some sense, DBLess is a safe way of using the same password for everything, because it moves the responsibility of hashing and salting into your own hands; database leaks, even plaintext ones, remain isolated to the individual account and cannot compromise the master password. And the algorithm is so simple that there’s no need to rely on trust. It’s all so obvious and convenient, but nobody else is doing it. Why?
© 2025 Emilien Breton `DBLess/WRITEUP.md`

DBLess

A hash-based, database-less password manager 2024-03-27

Project Readme • Project Files • GitHub Repo • dbless.py

A description of the DBLess algorithm can be found in the project’s readme. The core idea is to hash together a master password and some metadata that uniquely identifies an account to be logged into, then use the digest as the account password.

The actual DBLess algorithm encodes the SHA-256 digest in Ascii85 for compactness. The implementations also feature a master password checksum printout for peace of mind. I wrap it all in a shell alias that hashes in a secret token for salting and copies generated passwords to my clipboard.

In some sense, DBLess is a safe way of using the same password for everything, because it moves the responsibility of hashing and salting into your own hands; database leaks, even plaintext ones, remain isolated to the individual account and cannot compromise the master password. And the algorithm is so simple that there’s no need to rely on trust.

It’s all so obvious and convenient, but nobody else is doing it. Why?