When I was fixing computers for a living (a lifetime ago), I saw the exact same desktop file constantly. My customers literally named it passwords.txt. It contained every login, account number, and piece of personal info they had, completely unencrypted and readable by anyone who sat down at the machine. Anyone with five seconds alone with the screen could have all the keys to their digital life.

Today, people are slightly better, but not by much. The secure thing to do is use a long, unique, random password for every account, but practically nobody does this because it’s impossible to manage. People reuse something simple, maybe add something like 1! at the end, and move on. This might work fine right up until a forum or online retailer gets hacked and hands attackers your login info. Sites like Have I Been Pwned track credential leaks, and the numbers are ridiculous. If you’ve had an email address for more than a few years, there’s a significant chance it’s shown up in at least one. (Make sure you bookmark breach.vip as another way to check your stuff). Reusing passwords could potentially compromise all your online accounts.

Password managers

Password managers fix the immediate problem as they generate strong credentials, store them in an encrypted vault, and may automate logging into your favorite sites. Cloud options like 1Password, LastPass, and Bitwarden are convenient, but you’re paying a company to hold the keys to every account you own. That only works if you trust them and their systems are never compromised.

LastPass has become infamous in how they chose not to disclose the severity of a hack in 2022. Stolen crypto from the massive leak is still being discovered today and they recently settled a class-action lawsuit for $24.5M. They lied and downplayed the hack for months despite constantly being headlined in security news. When the truth finally came out, it was much worse than anyone imagined. There was massive community backlash and simply mentioning their name will make security nerds shudder.

1Password is currently a fan-favorite of Apple users, but they recently raised their prices 33% this year. That isn’t a reason to ignore them as a possible password solution, but there’s no reason to assume they couldn’t be the next target. My point is to not completely trust any cloud provider as you don’t know how good their security is or how open they’ll be if there’s a problem.

What I do

My personal setup is KeePassXC, synced across my devices with Syncthing. The vault stays local, is encrypted on disk, never touches anyone else’s server, and the software is free & open source. Syncthing keeps the database current for me everywhere without involving a corporate cloud provider. KeePassXC (and more) is listed among my regular apps over at mcwain.net/collections/my_apps.

Doing it this way takes more setup than a subscription service, but everything stays under your control. You bypass vulnerable services, subscription hikes, and surprise ToS changes. It’s also worth mentioning that the KeePass vault is easy to archive with your current backup workflow. The result is the same secure vault on every device, including your phone, with nothing stored anywhere you didn’t put it. If a cloud provider gets socially engineered, none of that affects you. Your credentials don’t exist on their servers because they never did.

XKCD’s take

Even with an encrypted password manager with an auto-logon feature, you eventually have to manually type a password yourself. Logging into a TV or game console has got to be one of the most annoying tasks in the world. I do this far too often and dread typing one character at a time with a slow remote on a terrible UI (looking at you Roku!). Passwords like j8#Kp!2xQv are such a pain in the ass. They’re hard to read, annoying to type, and impossible to remember. The increased security may be nice, but it’s completely impractical.

XKCD #936 makes a point that sticks with all of us nerds. A passphrase like correct horse battery staple is harder to crack and easier to remember than a short, mangled string of characters. Entropy comes from the number of words chosen from a large pool, not from replacing letters with symbols. The comic is almost 15 years old and people still use random nonsense like j8#Kp!2xQv. I used xkpasswd.net for a while to generate passphrases using the comic’s idea, but the site runs on someone else’s server, and I have zero visibility into happens behind the scenes. With that said, I’m not particularly worried about it, but it isn’t mine, and I wanted to add a some additional features anyhow.

Building Pass

So I built Pass. It’s a self-hosted passphrase generator that runs locally as a Python web app. Like all the projects you’ll find on my site, the goal was to make it simple and personalized. Pass is small, customizable, and easy to scale. The backend is a single app.py file with no database, no dependencies beyond Bottle, and no build step. The word pool sits directly in the file and currently uses 1,821 curated English words between four and eight letters. You can read it, edit it, add to it, and understand exactly what you’re running.

What it does

Passphrases

• Compact: 3 words. Quick & internal stuff.
• Standard: 4 words with symbols and digits, ~66 bits. Use for everyday things.
• Extended: 6 words. For stuff that needs Brawny strength.

When opening the page, you’ll immediately see something like below. The passwords are color coded so they can be easily read, and clicking on any one of them will copy it to clipboard.

@47~wrap~UNLOCK~concept~UNITED~363@
^72-evidence-UNLOCK-bank-PENDANT-560^
=51|discord|MASTER|shape|TEAR|701=

Security questions

This is one of those features I wanted to add. You can generate five to seven random words with additional punctuation. There are no capitals or special characters. The idea is to make something memorable that you can drop into a “mother’s maiden name” field without it being guessable by outsiders. Make sure you add these answers to your password vault so don’t lose them.

Device names

Nerds typically have access to a large range of computers and servers, and typically follow a specific naming convention. So, I added this as a feature to Pass. For example, instead of calling things desktop-1 and laptop-2, you can pull from 10 themed categories like space, periodic elements, NATO phonetic alphabet, and Star Wars (classic and prequel era only, no stupid sequel references). These can easily be changed or added to within the Python file.

The entropy bar at the bottom updates live so you can see exactly how strong each preset is. Everything runs client-side after the initial page load, with no external requests or tracking. As you might be able to tell from reading around my site, I’m not a fan of ads and tracking.

Running it

The app is available as a .zip file containing everything you need to get it up (uh huh huh). Download Pass here.

The included service file makes it easy to keep the app running in the background. It includes restrictions like NoNewPrivileges and ProtectSystem=strict so it runs minimally. The app listens on 127.0.0.1:8736 by default, but I recommend you pair it with a reverse proxy (more on that later) so you can make it https://pass.{domain}. Just make sure you bind it to 0.0.0.0 in the script so the proxy can reach it from other machines.

Once you have it set up, systemctl-tui is worth a look. It’s a lightweight terminal UI for managing systemd services that gives you a clean way to check status, start and stop services, and browse logs without reaching for rando systemctl commands. I dig it, and you probably will too.

This will get you started with using the systemctl service file:

mkdir -p ~/.config/systemd/user
cp pass.service ~/.config/systemd/user/

systemctl --user daemon-reload
systemctl --user enable pass
systemctl --user start pass

You shouldn’t have to rely on a subscription service to generate a secure string of text. Pass is a small and simple tool to get the job done. Add it to your growing list of self-hosted services, keep your password vault local, and stop handing your personal data to corporations. I don’t trust them and you shouldn’t either.