Installation | Usage | Security | Screenshots
Passman is a self-contained password manager with dual GUI and CLI interfaces, featuring AES-256-GCM authenticated encryption, Argon2id key derivation, HMAC-SHA256 integrity verification, and automatic memory zeroization. All credentials are stored in a single encrypted vault file portable across Windows and Linux.
- Dual interface: modern immediate-mode GUI (egui) and fully-featured CLI (clap)
- AES-256-GCM authenticated encryption with per-entry random nonces
- Argon2id key derivation with configurable and floor-validated parameters
- HMAC-SHA256 integrity verification with constant-time comparison
- Domain-separated key hierarchy (encryption key + HMAC key via HKDF)
- Atomic file writes with automatic backup rotation
- Add, edit, view, search, and delete entries
- Entry fields: username, password, URL, tags, notes, TOTP secret, timestamps
- Tag-based filtering and full-text search
- Real-time password strength analysis with actionable suggestions
- Password health dashboard with breach detection and age tracking
- Random password generation with configurable charset and length
- Memorable passphrase generation (Diceware-style word lists)
- Auto-clear after configurable timeout (default 30 seconds)
- UUID-based content tracking to avoid clearing unrelated content
- Windows: excludes passwords from clipboard history and cloud sync via native Win32 API
- Cross-platform support via arboard (X11, Wayland, Windows)
- Brute-force protection with exponential backoff lockout
- Configurable max failed attempts (default 5)
- Auto-lock on inactivity with configurable timeout
- Master password policy enforcement (length, character requirements)
- Export to JSON or CSV
- Import from JSON, CSV, Chrome, and Firefox password exports
- Merge mode for importing into existing vaults
- Self-describing binary format with embedded Argon2 parameters
- Backward-compatible loading of v1, v2, and v3 vaults
- Automatic migration on save
- TOML-based configuration file with per-section settings
- Configurable Argon2 parameters, UI preferences, backup policy, and password generation defaults
- CLI commands to show, set, and reset configuration
Master Password
|
v
[ Argon2id ] <-- random salt (stored in vault header)
| memory >= 32 MB, time >= 2, parallelism >= 1
v
Master Key (256-bit)
|
+--[ HKDF-Expand (SHA-256) ]--> Encryption Key --> AES-256-GCM
|
+--[ HKDF-Expand (SHA-256) ]--> HMAC Key --> HMAC-SHA256
Offset Field Size
------ ---------------------- --------
0 Magic ("PMAN") 4 bytes
4 Format version (4) 1 byte
5 Salt length 4 bytes (LE)
9 Argon2 memory (KB) 4 bytes (LE)
13 Argon2 time cost 4 bytes (LE)
17 Argon2 parallelism 4 bytes (LE)
21 Salt variable
Nonce 12 bytes
HMAC-SHA256 32 bytes
Ciphertext (AES-GCM) variable
| Mechanism | Scope |
|---|---|
ZeroizeOnDrop |
AES key material -- wiped when Key is dropped |
Zeroizing<String> |
Master password at all call sites |
SerializableSecret |
Entry passwords -- debug prints [REDACTED], zeroized on drop |
OptionalSecret |
TOTP secrets -- same protections as above |
| Form field zeroization | GUI input fields cleared on vault lock |
| Serialized plaintext | Wrapped in Zeroizing<Vec<u8>>, wiped after encryption |
- HMAC-SHA256 computed over
nonce || ciphertextusing a dedicated HMAC key - Verified with constant-time comparison before decryption
- Prevents tampering and truncation attacks
Download from the latest release page, or use a script installer:
Linux:
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/0M3REXE/passman/releases/download/v1.5.0/passman-installer.sh | shWindows (PowerShell):
irm https://github.com/0M3REXE/passman/releases/download/v1.5.0/passman-installer.ps1 | iexA Windows MSI installer is also available on the release page.
git clone https://github.com/0M3REXE/passman
cd passman
cargo build --releaseThe binary will be at target/release/passman (or passman.exe on Windows).
Linux build dependencies:
sudo apt-get install -y libgtk-3-dev libxcb-render0-dev libxcb-shape0-dev libxcb-xfixes0-dev libx11-dev libssl-dev| Target | Installer |
|---|---|
| x86_64 Windows | PowerShell, MSI |
| x86_64 Linux | Shell script |
Run the executable without arguments to launch the graphical interface:
passmanThe GUI provides a welcome screen for vault creation or login, a main screen with searchable entry list and one-click copy, entry add/edit forms with inline strength analysis, a password health dashboard, import/export dialogs with native file pickers, and a settings panel.
Pass a subcommand to operate in terminal mode. A --vault <path> flag is available on all commands to specify the vault file (default: vault.dat).
passman init # Create a new vault
passman change-password # Change master password
passman backup -o ./backups # Create a backup
passman vaults # List vault files in current directorypassman add github # Add entry (interactive prompts)
passman add github -u user -g -l 24 # Add with username, generate 24-char password
passman get github # Display credentials
passman get github -c # Copy password to clipboard
passman edit github # Edit interactively
passman rm github # Remove (with confirmation)
passman rm github -f # Remove without confirmationpassman list # List all entries
passman list -s "git" -t work # Search by text, filter by tag
passman check # Check strength of a typed password
passman check -a # Analyze all vault passwords
passman health # Password health dashboard
passman health --issues-only # Show only entries with issuespassman generate # Random 16-char password
passman generate -l 32 --symbols # 32-char with symbols
passman generate --no-ambiguous # Exclude 0, O, l, I, 1
passman generate -m # Memorable passphrase (4 words)passman transfer export -o backup.json -f json
passman transfer export -o backup.csv -f csv
passman transfer import -i chrome.json -f chrome --merge
passman transfer import -i passwords.csv -f csvpassman config show # Display current config
passman config set security.lock_timeout 600 # Set auto-lock to 10 min
passman config reset # Reset to defaultsPassman uses a TOML configuration file located at:
- Windows:
%APPDATA%\passman\passman.toml - Linux:
~/.config/passman/passman.toml
Falls back to passman.toml in the working directory if the platform path is unavailable.
| Section | Key | Default | Description |
|---|---|---|---|
general |
default_vault |
vault.dat |
Default vault file path |
enable_logging |
true |
Enable file logging | |
log_level |
info |
Log verbosity (error, warn, info, debug, trace) | |
security |
lock_timeout_secs |
300 |
Auto-lock timeout in seconds (0 to disable) |
clipboard_timeout_secs |
30 |
Clipboard auto-clear timeout | |
max_failed_attempts |
5 |
Failed attempts before lockout | |
min_password_length |
12 |
Minimum master password length | |
argon2_memory_kb |
65536 |
Argon2 memory parameter (KB) | |
argon2_time_cost |
3 |
Argon2 iteration count | |
argon2_parallelism |
4 |
Argon2 thread count | |
password |
default_length |
20 |
Default generated password length |
include_symbols |
true |
Include symbols in generation | |
exclude_ambiguous |
false |
Exclude ambiguous characters | |
memorable_word_count |
4 |
Word count for passphrases | |
backup |
auto_backup |
true |
Backup before each save |
max_backups |
10 |
Maximum backup files retained |
 |
 |
 |
 |
 |
 |
 |
This project is licensed under the MIT License. See LICENSE for details.
Created by 0M3REXE