Skip to content

voidful/Cipher

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
android
android
 
 
assets
assets
 
 
img
img
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.nojekyll
.nojekyll
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 
index.html
index.html
 
 
package.json
package.json
 
 

Repository files navigation

Cipher

Cipher is now a static web app for turning a memorable private concept into a strong deterministic password.

Website: https://voidful.github.io/Cipher/

How to Use

  1. Open the site and set a long Cipher Key. Treat it like your master password.
  2. Choose one input method: text, gesture, link pattern, or QR scan.
  3. For each website or app, enter something unique to that service, such as google.com, a bank name, or a pattern you can repeat.
  4. Press Generate, copy the result, and use it as that service's password.
  5. Next time, use the same Cipher Key and the same input to recreate the same password.

Important: do not reuse the same input for every website. The Cipher Key stays in memory only and is cleared when the page closes, after idle timeout, or after background timeout.

Features

  • Text, gesture, link-pattern, and QR scan inputs.
  • Unsplash photo-card launcher inspired by the original mobile UI.
  • Mobile-first one-page launcher: inputs and password controls expand only after a feature is opened.
  • Session-only Cipher Key verification with a minimum-strength check.
  • Password length and character-set controls, defaulting to 32 characters and a 16-character minimum.
  • Local QR decoding from camera or image upload on browsers with BarcodeDetector.
  • QR decoding falls back to a local vendored jsQR decoder when BarcodeDetector is unavailable.
  • Clipboard copy with best-effort auto-clear and hidden-by-default generated output.
  • No backend, no analytics, and no remotely loaded runtime scripts.

Security Model

  • Passwords are derived in the browser with Web Crypto PBKDF2-HMAC-SHA-256.
  • The Cipher Key is kept only in memory and is cleared when the page closes.
  • Sensitive state is also cleared after idle/background timeout.
  • The app stores only non-secret UI settings in localStorage.
  • A strict Content Security Policy is declared in index.html.
  • QR image upload is limited to image files under 8 MB.
  • Remote images are limited to Unsplash static backgrounds, with Referrer-Policy: no-referrer.
  • No remote runtime scripts are loaded.
  • assets/vendor/jsQR.js is vendored locally under Apache-2.0 for browser QR compatibility.

This web version intentionally does not keep compatibility with the old Android password output. The priority is stronger local derivation and safer default behavior.

Development

Run the deterministic crypto tests:

npm test

Serve locally:

python3 -m http.server 8080

Then open http://localhost:8080.

Android

The legacy Android app has been moved to android/ and converted to Kotlin source. It now targets Android SDK 36, uses Android Gradle Plugin 9.1.0 / Gradle 9.3.1, disables app backup and cleartext traffic, and bumps the app version to 2.0.0 (versionCode 4).

cd android
./gradlew test

Deployment

GitHub Pages is deployed from the repository root. index.html, assets/, and .nojekyll are enough for the existing Pages setup to publish the static app.

License

See LICENSE.

About

🔐Remember your password safely

voidful.github.io/Cipher

Topics

android cipher safety remember-passwords complicated-passwords

Resources

Readme

License

LGPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages