We build a lot of small, sharp tools for our own work, the kind of utility you reach for ten times a day and never think about. Some are good enough that it would be a shame to keep them to ourselves. So we have opened a Tools section: a home for the little things we make, free to use, and refined in the same cycles as everything else we ship.

First up: LesS/KEY

LesS/KEY is a password manager with an unusual property: it stores no passwords. Instead of keeping a vault, it re-generates each password on demand from a single master phrase plus the name of the account. The same name and master always produce the same password, so there is nothing to leak, sync, or back up, and you only ever remember one phrase.

Under the hood it is S/KEY, the time-tested one-time-password scheme from RFC 2289. So by default each password is six short, memorable words rather than a tangle of symbols. That is the xkcd 936 idea, correct horse battery staple: easier for a person to remember and type on any keyboard, and harder for a machine to guess. Prefer hex, base64 or digits? A single mode letter switches the format.

xkcd 936 'Password Strength': a passphrase of four common words such as 'correct horse battery staple' is far stronger, and far easier to remember, than a short string of random characters.
xkcd 936, “Password Strength”: why four common words beat a tangle of symbols. xkcd.com/936 · CC BY-NC 2.5

It is the same engine we use on the command line, compiled to WebAssembly so it runs in any modern browser. Type a name and your master phrase and the password appears instantly, masked; a full command console underneath gives power users the complete tool.

Private by design

Because it is a password tool, privacy is not a feature, it is the point. Everything happens on your device. Your master password and the passwords it generates are never sent anywhere, never stored on a server, and never logged. There is no account, no sync, and no tracking. The page even bundles its own fonts, so once it has loaded it makes no network requests at all.

The safest place for a password is nowhere, so we generate it fresh, on your device, every single time.

More to come

This is the first of several. We ship tools the way we ship everything, in small, deliberate iterations, and more will appear in the Tools section as they earn their place. Change for the better, one cycle at a time.

Oleksandr Kozachuk, Kaizenkodo