LessPass — Stateless Open Source Password Manager

Introduction

LessPass is a stateless password manager that generates unique, strong passwords deterministically from a master password, a site name, and a username. Unlike traditional password vaults, LessPass does not store encrypted passwords anywhere. The same inputs always produce the same output, so your passwords are available on any device without syncing.

What LessPass Does

• Generates unique passwords from master password, site, and login inputs
• Produces consistent results across all devices without any stored data
• Offers customizable password rules (length, character types, counter)
• Provides browser extensions for Chrome, Firefox, and Edge
• Includes an optional self-hosted server for saving password profiles

Architecture Overview

LessPass uses PBKDF2 with 100,000 iterations of SHA-256 to derive passwords deterministically. The core algorithm runs entirely client-side in the browser or CLI. The optional server component is a Django REST API backed by PostgreSQL that stores only password profiles (site, login, options) — never the master password or generated passwords.

Self-Hosting & Configuration

• Deploy the server via Docker Compose for profile synchronization
• Configure the admin password and database via environment variables
• Access the web frontend directly from the Docker container
• Install browser extensions and point them to your self-hosted instance
• Profiles are optional; the pure stateless mode needs no server at all

Key Features

• Zero-knowledge architecture with no stored passwords
• Works offline with no server or sync required
• Deterministic generation ensures the same password on every device
• Adjustable password complexity with length and character set controls
• Counter mechanism for rotating passwords without changing the master

Comparison with Similar Tools

• Bitwarden — encrypted vault-based; LessPass is stateless with no vault to breach
• KeePassXC — local encrypted database; LessPass computes passwords without storage
• 1Password — cloud-synced vault; LessPass generates passwords on demand
• Spectre (Master Password) — similar stateless concept; LessPass offers self-hosted profile sync

FAQ

Q: What happens if I forget my master password? A: There is no recovery mechanism. LessPass never stores your master password. You must remember it.

Q: Can I change a generated password for a specific site? A: Yes, increment the counter value for that site to generate a new password while keeping the same master password.

Q: Is the self-hosted server required? A: No. The core functionality is fully client-side. The server only stores profile metadata for convenience.

Q: How secure is the password generation? A: LessPass uses PBKDF2 with 100,000 SHA-256 iterations, making brute-force attacks computationally expensive.

Sources

• https://github.com/lesspass/lesspass
• https://www.lesspass.com