Help What is LesS/KEY & how it works click to open
LesS/KEY is a password manager that stores no passwords. It re-generates each one on demand from your single master password plus the name of the account. The same name and master always produce the same password, so there is nothing secret to leak, sync, or back up, and you only ever remember one phrase. By default each password is six short, memorable words. That is the correct horse battery staple idea from xkcd 936, built on the classic S/KEY one-time-password scheme (RFC 2289).
Nothing leaves your device. Everything happens locally. Your master password and the passwords it generates are never sent anywhere, never stored on a server, and never logged. There is no account, no sync, and no tracking. The app is a single page plus a WebAssembly module, with its fonts bundled in. Once it has loaded, it makes no network requests at all.
Quick password
Type an account name and your master phrase. The password appears instantly, masked; click it (or the master) to reveal, or press Copy. The save button steps from Store (file the entry — its name and rules, never the password) to Correct (confirm this name + master); once confirmed the result shows in colour, so a typo stays black.
Console
The full command line; type help for every command. It shares the
same catalog and session as the form above, so you can switch between them freely;
pb copies a command's output to the clipboard. Your list lives only in
this browser (localStorage); use Export or Import
to move it yourself (for example, to and from a Notion page).
Naming rules
After a name you can add a length and a mode. R is six memorable words
(the default); C camel; H hex; B base64;
D digits (U… = upper); T a TOTP one-time code
(RFC 6238). For example, github 20R. End a name with ^folder
to derive it from a parent; you still type only your one master and the whole chain
is computed. Or leave the master box empty and you're asked for the parent's own
password instead (blank climbs to its parent, and so on).
A T entry carries an inline seed, written #"otpauth://…"
(or a bare base32 secret); enc <name> then prints its current code.
!"a note" stores an encrypted note. Both are sealed with a key derived
from the entry and its master chain — never kept in the clear — and
reveal <name> decrypts them.
Example: add totp T 99 now #"otpauth://totp/x?secret=JBSWY3DPEHPK3PXP".
A name starting with + (like +vault) is an independent
root: its password is entered, never derived, and the chain stops there — separate
master passwords for separate subtrees. A base starting with $ (or
+$) makes its whole subtree derive the unfolded 160-bit value
(15 words instead of 6); set it once, everything below inherits.
Runs the real hel engine compiled to WebAssembly, the exact same generator as the command-line tool. You can add it to your home screen and use it as an app. No server, no account, no tracking, nothing to leak.
Quick password
Same name + master always make the same password, computed in your browser — your master stays in memory only, never stored or sent. Store saves the entry (never the password); Correct saves a one-way hash.
Console All commands click to open
The full hel command line: ls, add,
enc, gen, comment,
correct, help, … Your catalog persists in this
browser (localStorage). Generated passwords are masked; click to reveal.