scrypt-based stateless password manager.
Go to file
Archargelod 19b78c0d84 add demo to Readme 2023-09-27 13:02:53 +08:00
demo add demo to Readme 2023-09-27 13:02:53 +08:00
src small changes 2023-09-04 14:33:32 +08:00
tests refactor option parsing, unit tests 2023-09-04 14:01:28 +08:00
LICENSE add demo to Readme 2023-09-27 13:02:53 +08:00
brewpass.nim.cfg small changes 2023-09-04 14:33:32 +08:00
brewpass.nimble small changes 2023-09-04 14:33:32 +08:00

Brewpass - stateless password manager

Brewpass is a cli tool for generating deterministic passwords, from a Master Key, a Username and a Service Name.
Brewpass is implemented as a pure function: given the same parameters it will always generate the same password.
Brewpass does not store anything, this way your passwords can't be:

  • lost
  • corrupted
  • destroyed in:
    • data breach
    • natural disaster
  • But, this approach makes your passwords succeptible to brute-force attacks.
    Unless you use long and secure Master Key, do not use this tool.
  • If you use long and secure Master Key, bruteforcing is very impractical and nearly impossible.
  • Sufficiently long Master Key of around 20 characters with no dictionary words or logical patterns, would take atleast 210_494_978_443_749_540 years to crack (assuming generous estimate of 3000 hashes/s).



To use Brewpass, run it from the command line with following options:

./brewpass [ARGUMENTS] [ServiceName]
  • -n --name : Set the Username parameter. Defaults to $USER.

  • -t --tally : Set a unique integer parameter. Defaults to 0.

  • -l --len : Set desired password length. Default length is 20.

  • -N : Change scrypt N parameter, should be a power of 2 [262144]

  • -r : Change scrypt r parameter, tied to a memory usage [8]

  • -p : Change scrypt p parameter [1]

  • --repeat : ask master key twice to avoid typos

  • --notest : do not print the test word in "MasterKey" field

  • -c --copy : copy resulting password to clipboard (requires xsel)

  • -v --version: show version and exit

  • -h --help : show help message and exit

  1. When run, Brewpass will ask for the Master Key (input is hidden for security purposes).
  2. If the Service parameter is not specified, it will ask for it as well.
  3. Next, Brewpass will print the Test Word associated with your password in the key field. You can verify that you typed your password correctly by remembering the Test Word between runs.
  4. Finally, Brewpass will calculate and print the resulting password.


./brewpass --name:Test -l50

Username : Test
Service  :
MasterKey: ANA
Password : ^$436!*49GMkq58zW9o*bzTLoNB029u&1@x481M1$6n&L5Ri#B


Algorithm is designed with an idea to be 'dead simple'.
Legend: '+' is a concatenation, '%' is a remainder.

    key = master_key + tally
    salt = username + service_name
    hash = scrypt(key, salt, N, r, p, length)

    ascii_string = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*0123456789!@#$%^&*"
    password = ""
    for byte in hash:
        password += ascii_string[byte % length(ascii_string)]


  • username and service name can clash, e.g. "george" + "google" and "georg" + "egoogle" produce exactly the same password.
  • symbols and numbers will appear in passwords twice as often - that's intentional, for password forms where they're required.
  • the chosen ascii string should be compatible with 90% of services, other 1% requires special rules that are unwieldy, insecure and should be stored and synced, if you can - do not use these services, if you cannot - use password manager such as Bitwarden to generate and store such passwords.`


Brewpass depends on the following packages:

  • nim compiler >= V2.0 (easy to backport to nim 1.6)
  • nimcrypto >= V0.5.4 by cheatfate

Optional (for smaller static binary produced with nimble musl command):

  • musl library
  • strip utility from binutils package
  • upx


  • install nim toolchain - instructions
  • clone the repo git clone
  • cd brewpass
  • nimble release - to compile release version or
  • nimble musl - to compile tiny static portable version (see Dependencies)