Smart Passwords Library: Cryptographic password generation and management without storage. Generate passwords from secrets, verify knowledge without exposure, manage metadata securely.
Now with Cross-Platform Determinism: Same secret + same parameters = identical password on JavaScript, C#, Python, Go, Kotlin and any language with SHA-256.
Decentralized by Design: Unlike traditional password managers that store encrypted vaults on central servers, smartpasslib stores nothing. Your secrets never leave your device. Passwords are regenerated on-demand — no cloud, no database, no trust required.
By using this software, you agree to the full disclaimer terms.
Summary: Software provided "AS IS" without warranty. You assume all risks.
Full legal disclaimer: See DISCLAIMER.md
⚠️ This version is NOT backward compatible with v1.x.x
Passwords generated with older versions cannot be regenerated with v4.0.0.
📖 Full migration instructions → see MIGRATION.md
- Zero-Storage Security: No passwords or secret phrases are ever stored or transmitted
- Decentralized Architecture: No central servers, no cloud dependency, no third-party trust required
- Cross-Platform Deterministic Generation: Identical secret + parameters = identical password on any language (SHA-256 based)
- Metadata Only: Store only verification metadata (public keys, descriptions, lengths)
- On-Demand Regeneration: Passwords are recalculated when needed, never retrieved from storage
- Cryptographically Secure: Uses Web Crypto API
- Decentralized & Serverless: No central database, no cloud lock-in, complete user sovereignty
- Smart Password Generation: Deterministic from secret phrase
- Public/Private Key System: 15-30 iterations for private key, 45-60 for public key (dynamic per secret)
- Secret Verification: Verify secret without exposing it
- Random Password Generation: Cryptographically secure random passwords
- Authentication Codes: Short codes for 2FA/MFA (4-100 chars)
- No Dependencies: Pure JavaScript, uses Web Crypto API
- Proof of Knowledge: Public keys verify secrets without exposing them
- Decentralized Trust: No third party needed — you control your secrets completely
- Deterministic Security: Same input = same output, always reproducible across platforms
- Dynamic Iteration Counts: Private key uses 15-30 iterations, public key uses 45-60 iterations (deterministic per secret)
- No Vulnerable Metadata Storage: Only public keys and descriptions can be stored (optional)
- Zero Storage of Secrets: Secret phrases exist only in your memory, private keys are derived on-demand and never persisted
- No Recovery Backdoors: Lost secret = permanently lost passwords (by design)
- Pointer-Based Security Paradigm - Architectural Shift from Data Protection to Data Non-Existence
- Local Data Regeneration Paradigm - Ontological Shift from Data Transmission to Synchronous State Discovery
Key derivation (same as Python/C#/Go/Kotlin versions v4.0.0):
| Key Type | Iterations | Purpose |
|---|---|---|
| Private Key | 15-30 (dynamic) | Password generation (never stored, never transmitted) |
| Public Key | 45-60 (dynamic) | Verification (stored locally) |
Character Set: !@#$%^&*()_+-=[]{};:,.<>?/ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
Validation Rules:
- Secret phrase: minimum 12 characters
- Password length: 12-100 characters
- Code length: 4-100 characters
Decentralized Architecture:
- No central authority required
- Metadata can be synced via any channel (USB, cloud, even paper)
- Your security depends only on your secret phrase, not on any service provider
- Works offline — no internet connection required
Just copy smartpasslib.js to your project and include it:
<script src="path/to/smartpasslib.js"></script>const secret = "MyStrongSecretPhrase2026!";
const length = 16;
const password = await SmartPassLib.generateSmartPassword(secret, length);
console.log(password);const secret = "MyStrongSecretPhrase2026!";
const publicKey = await SmartPassLib.generatePublicKey(secret);
const privateKey = await SmartPassLib.generatePrivateKey(secret);
console.log('Public Key (store locally):', publicKey);
console.log('Private Key (never store):', privateKey);const secret = "MyStrongSecretPhrase2026!";
const storedPublicKey = "..."; // from local
const isValid = await SmartPassLib.verifySecret(secret, storedPublicKey);
if (isValid) {
const password = await SmartPassLib.generateSmartPassword(secret, 16);
}// Strong random (cryptographically secure)
const strong = await SmartPassLib.generateStrongPassword(20);
// Base random
const base = await SmartPassLib.generateBasePassword(16);
// Authentication code (4-100 chars)
const code = await SmartPassLib.generateCode(8);| Property | Type | Description |
|---|---|---|
VERSION |
string | Library version (4.0.0) |
CHARS |
string | Character set used for generation |
| Method | Parameters | Returns | Description |
|---|---|---|---|
generatePrivateKey(secret) |
secret: string | Promise<string> | Private key (15-30 iterations) |
generatePublicKey(secret) |
secret: string | Promise<string> | Public key (45-60 iterations) |
verifySecret(secret, publicKey) |
secret, publicKey | Promise<boolean> | Verify secret matches public key |
generateSmartPassword(secret, length) |
secret, length | Promise<string> | Deterministic password |
generateStrongPassword(length) |
length | Promise<string> | Cryptographically random |
generateBasePassword(length) |
length | Promise<string> | Simple random password |
generateCode(length) |
length | Promise<string> | Short code (4-100 chars) |
| Parameter | Minimum | Maximum |
|---|---|---|
| Secret phrase | 12 chars | unlimited |
| Password length | 12 chars | 100 chars |
| Code length | 4 chars | 100 chars |
- Minimum 12 characters (enforced)
- Case-sensitive
- Use mix of: uppercase, lowercase, numbers, symbols
- Never store digitally
- NEVER use your password description as secret phrase
✅ "MyStrongSecretPhrase2026!" — mixed case + numbers + symbols
✅ "P@ssw0rd!LongSecret" — special chars + numbers + length
✅ "GitHubPersonal2026!" — description + extra chars
❌ "short" — too short, raises exception
❌ "GitHub Account" — using description as secret (weak!)
❌ "password" — dictionary word, too short
❌ "1234567890" — only digits, too short
There is no "forgot password" button. This is by design:
- No central server can reset your passwords
- No support team can recover your access
- Your secret phrase is the ONLY key
This is the price of true decentralization — you are completely in control.
The same deterministic algorithm is available in multiple languages. SmartPassLib JS produces identical passwords to:
| Language | Repository |
|---|---|
| Python | smartpasslib |
| Kotlin | smartpasslib-kotlin |
| Go | smartpasslib-go |
| C# | smartpasslib-csharp |
Open test.html in your browser to run the test suite.
Core Libraries:
- smartpasslib - Python
- smartpasslib-js - JavaScript (this)
- smartpasslib-kotlin - Kotlin
- smartpasslib-go - Go
- smartpasslib-csharp - C#
CLI Applications:
- CLI Smart Password Manager (Python)
- CLI Smart Password Generator (Python)
- CLI Smart Password Manager (C#)
- CLI Smart Password Generator (C#)
Desktop Applications:
Other:
Copyright (©) 2026, Alexander Suvorov
Alexander Suvorov - GitHub
- Issues: GitHub Issues
- Documentation: This README