I built a prototype password tool that never stores passwords or vaults. Instead, it derives them on the fly using:
* A hardware OpenPGP key (smartcard/YubiKey/etc.)
* User inputs (domain + login + a simple passphrase)
* Deterministic signing + KDF
So as long as you have the hardware key and the same inputs, you can always reproduce the same password. Nothing is stored locally.
Current status:
* Python CLI, pre-release v0.9.0
* Tested only on Windows 10 with RSA4096 keys
* Requires GPG installed
* English default + Chinese i18n (basic)
Limitations:
1. Not audited (research/PoC)
2. Only RSA tested
3. No GUI (TUI planned)
4. Not tested on other platform
5. Some sites may reject the generated charset (You can edit, but it may cause a mess.)
Looking for feedback on:
1. Security flaws in this design?
2. Portability to Linux/macOS and non-RSA keys
3. Possible ways to use hardware keys without shelling out to GPG
4. Usability / UX ideas (TUI, i18n, etc.)
Links:
GitHub: https://github.com/biliyoyo520/paasword/
Blog: https://blog.yoyo250.fun/archives/coding/16.html
Thanks!