Password-manager
# Lockyt
**A zero-knowledge, end-to-end encrypted password manager built for the modern web.**
[](https://react.dev)
[](https://firebase.google.com)
[](https://tailwindcss.com)
[](./LICENSE)
[Live Demo](https://your-lockyt-url.com) Β· [Chrome Extension](#chrome-extension) Β· [Report Bug](https://github.com/yourusername/lockyt/issues) Β· [Request Feature](https://github.com/yourusername/lockyt/issues)
πΈ Screenshots
| Dashboard | Security Center |
|:---------:|:---------------:|
| 
| 
|
| Vault Entry | Password Generator |
|:-----------:|:-----------------:|
| 
| 
|
| Mobile View | Chrome Extension |
|:-----------:|:----------------:|
| 
| 
|
| |
| Vault Entry | Password Generator |
|:-----------:|:-----------------:|
| | |
| Mobile View | Chrome Extension |
|:-----------:|:----------------:|
| | |
π What is Lockyt?
Lockyt is a full-stack password manager that stores, encrypts, and syncs your credentials across all devices β without ever exposing your plaintext data to the server.
All encryption and decryption happens entirely in your browser. Your master password is never transmitted, never stored, and never seen by anyone but you. Even if the database were compromised, attackers would only find AES-256 encrypted ciphertext.
β¨ Features
Vault
- 5 secure item types β Passwords, Credit Cards, Identities, Secure Notes, SSH Keys
- Real-time sync β Firestore
onSnapshotkeeps your vault live across all devices and tabs - Search & filter β Quickly find entries by name, username, or item type
- Copy to clipboard β One-click copy with auto-clear after 30 seconds
Security
- Zero-knowledge encryption β AES-256-GCM with client-side key derivation
- PBKDF2 key derivation β 600,000 SHA-256 iterations, salted with your Firebase UID
- Breach detection β Checks passwords against HaveIBeenPwned using k-anonymity (your password never leaves your device)
- Session timeout β Automatically locks vault after configurable inactivity period
Tools
- Password generator β Customisable length (6β128), character sets, and custom patterns
Cross-device
- Works on all platforms β Desktop, tablet, and mobile responsive
- Chrome Extension β Autofills credentials on any website directly from your vault
- Smart autofill β Auto-fills if one match, shows a picker if multiple
ποΈ Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Client (Browser) β
β β
β βββββββββββββββ ββββββββββββββββ β
β β React App β β Chrome β β
β β (Vite) β β Extension β β
β ββββββββ¬βββββββ ββββββββ¬ββββββββ β
β β β β
β ββββββββΌβββββββββββββββββββΌββββββββ β
β β crypto.js β β
β β PBKDF2 key derivation β β
β β AES-256-GCM encrypt/decrypt β β
β β (Web Crypto API β no deps) β β
β ββββββββββββββββ¬βββββββββββββββββββ β
βββββββββββββββββββΌββββββββββββββββββββββββββββββββββββ
β Encrypted ciphertext only
βββββββββββββββββββΌββββββββββββββββββββββββββββββββββββ
β Firebase β
β β
β ββββββββββββββββ ββββββββββββββββ β
β β Firebase Authβ β Firestore β β
β β (Identity) β β (Storage) β β
β ββββββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Data stored in Firestore
users/
βββ {uid}/
βββ vault/
β βββ meta β encrypted canary (verifies master password)
βββ passwords/
βββ {entryId}
βββ site β plain (for search)
βββ username β plain (for display)
βββ password β AES-256-GCM encrypted
βββ cardNumber β AES-256-GCM encrypted
βββ notes β AES-256-GCM encrypted
βββ ...
---
## π Getting Started
### Prerequisites
- Node.js 18+
- A Firebase project with **Firestore** and **Authentication** enabled
### 1. Clone the repository
```bash
git clone https://github.com/Rajat2774/Password-manager.git
cd Lockora
2. Install dependencies
npm install
3. Configure Firebase
Create src/firebase.js with your Firebase config:
import { initializeApp } from "firebase/app";
import { getAuth, GoogleAuthProvider } from "firebase/auth";
import { getFirestore } from "firebase/firestore";
const firebaseConfig = {
apiKey: "YOUR_API_KEY",
authDomain: "YOUR_PROJECT.firebaseapp.com",
projectId: "YOUR_PROJECT_ID",
storageBucket: "YOUR_PROJECT.appspot.com",
messagingSenderId: "YOUR_SENDER_ID",
appId: "YOUR_APP_ID",
};
const app = initializeApp(firebaseConfig);
export const auth = getAuth(app);
export const googleProvider = new GoogleAuthProvider();
export const db = getFirestore(app);
4. Set Firestore security rules
In the Firebase Console β Firestore β Rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId}/vault/{document} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
match /users/{userId}/passwords/{document} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}
5. Run locally
npm run dev
𧩠Chrome Extension
The Lockyt Chrome Extension enables autofill on any website.
Install from source
- Open
chrome://extensions - Enable Developer mode
- Click Load unpacked
- Select the
lockora-extension/folder
Configure
Edit lockora-extension/firebase-config.js with your Firebase config (same as above).
How it works
User visits a site with a login form
β
Extension detects the form (content.js)
β
Queries Firestore for matching entries (background.js)
β
1 match β Auto-fills silently + shows toast
N matches β Shows picker popup to select which credential
π Project Structure
lockora/
βββ src/
β βββ pages/
β β βββ SignIn.jsx
β β βββ SignUp.jsx
β β βββ UnlockVault.jsx
β β βββ Dashboard.jsx
β β βββ SharePage.jsx
β βββ components/
β β βββ dashboard/
β β βββ Sidebar.jsx
β β βββ VaultCard.jsx
β β βββ VaultModal.jsx
β β βββ PasswordGenerator.jsx
β β βββ SecurityCenter.jsx
β β βββ ShareModal.jsx
β β βββ AccountSettings.jsx
β β βββ SecuritySettings.jsx
β β βββ Icons.jsx
β βββ utils/
β β βββ crypto.js β AES-256-GCM + PBKDF2
β β βββ breach.js β HaveIBeenPwned k-anonymity
β β βββ vault.js β Shared helpers
β βββ constants/
β β βββ vault.js β VAULT_TYPES, FIELDS definitions
β βββ firebase.js
βββ lockora-extension/
β βββ manifest.json
β βββ background.js
β βββ content.js
β βββ firebase-config.js
β βββ popup/
β βββ popup.html
β βββ popup.js
β βββ popup.css
βββ public/
π Security Model
| Layer | Implementation |
|---|---|
| Key derivation | PBKDF2-SHA256, 600,000 iterations, UID as salt |
| Encryption | AES-256-GCM with random IV per entry |
| Master password | Never stored, never transmitted β derived to key in browser only |
| Canary verification | Encrypted known value used to verify master password without storing it |
| Breach detection | k-anonymity β only first 5 chars of SHA-1 hash sent to HIBP API |
| Firebase rules | Per-user Firestore rules β no cross-user data access possible |
πΊοΈ Roadmap
- Vault export / import (Bitwarden CSV compatible)
- TOTP / 2FA code storage
- Firefox extension
- Dark / light theme toggle
- Audit log (per-entry view history)
π€ Contributing
Contributions are welcome. Please open an issue first to discuss what youβd like to change.
# Fork the repo, then:
git checkout -b feature/your-feature
git commit -m "feat: add your feature"
git push origin feature/your-feature
# Open a Pull Request
π License
Distributed under the MIT License. See LICENSE for details.
Built with β€οΈ using React, Firebase, and the Web Crypto API
**[Live website](https://lockyt.vercel.app)**