One release cycle at a time, LesS/KEY has quietly grown from a neat password generator into the tool we reach for every day. Today's update is the biggest since launch: two-factor codes, stronger cryptography under the hood, and a set of small conveniences that make the browser version feel like a native tool, especially on a phone.

Your 2FA codes, without the vault

LesS/KEY's whole idea is that it stores no passwords: everything is re-generated from one master phrase. Two-factor codes, the six digits that refresh every thirty seconds, do not work that way. They are computed from a secret that you and the website share, so the secret has to live somewhere. That used to mean a separate authenticator app, and a quiet exception to the no-vault philosophy.

Now LesS/KEY handles them natively. Give an entry the new mode T and paste the setup secret once, the same text that hides behind the QR code a site shows you when you enable 2FA. From then on, asking for that entry prints the current six-digit code, on your desktop or on your phone, fully offline.

Sealed, not stored

That shared secret is the one thing LesS/KEY must keep, so it is kept the way secrets should be. On your device, the seed is encrypted with XChaCha20-Poly1305 under a key derived from your master chain through argon2id, a deliberately slow, memory-hard function (64 MiB and about a second per unlock, tuned to make guessing expensive). The key carries the full 160-bit strength of the underlying chain, and every sealed blob is bound to its own entry, so it cannot be quietly moved or swapped. It is decrypted only in the moment you ask for a code, and it never leaves your device.

The same sealing works for free-form notes: a short encrypted remark can ride along with any entry, readable only with its password.

A vault you cannot avoid should at least be microscopic, sealed with real cryptography, and kept in your own pocket.

Several masters, longer passphrases

Two building blocks landed for people who take compartmentalization seriously. A name starting with + is an independent root: its password is entered, never derived, so work and personal trees can live under separate masters that never mix. And a base whose name starts with $ switches its whole subtree to the unfolded derivation: fifteen words instead of six, carrying the full 160 bits all the way through. A new rnd command mints candidate passphrases for such roots from pure OS randomness.

Kinder on a phone

The rest of the update is convenience, the kind you notice by its absence. The command console now behaves like a real shell on a phone: it fits the screen, stays visible above the on-screen keyboard, resizes with a drag handle, and revealing a masked password no longer closes the keyboard. The name field suggests entries from your catalog as you type. Derived names generate without the root master: leave the master box empty and LesS/KEY asks for the parent's password instead, level by level, exactly like the command-line tool. And Import now accepts a whole markdown page, so a catalog kept in Notion can be pasted back in one go.

Everything above still happens entirely on your device: no server, no account, no telemetry. The installed app keeps updating itself, and your catalog survives every update. Change for the better, one cycle at a time.

Oleksandr Kozachuk, Kaizenkodo