UPD April 2026: Service is shut down. An axios vulnerability was exploited to breach the backend and access stored data. I pulled the plug before things got worse. The original article is preserved below, with a postmortem at the end.
When You Want a Password, Not a New Lifestyle Subscription
Sometimes you just need a strong, espresso‑like password. Generate, copy, move on. In practice you end up in a mini CRM for your secrets: subscriptions, syncs, "happy safe forever" plans.
I wanted simplicity. That's how PassWave was born — a minimalist password generator with an optional vault. No obligations, no pressure, no "enter credit card to continue."
The idea started as a Telegram Mini App — neat until I realized a PWA is more universal. Installable on phone/desktop, works offline, not tied to a platform. The Telegram version is on the shelf if there's demand.
Context of the Era
The password manager market is mature and "heavy": subscriptions, ecosystems, autofill. People often want a quick way to generate/store a few secrets. After headline breaches, demand for client‑side encryption and offline grew.
What Shipped (MVP in 2 Weeks)
🔐 Security without Lecture
- Everything is encrypted client‑side. The server sees an opaque encrypted blob and has no idea what's inside.
- Passwords are generated with proper crypto, not "random from an alley."
- The passphrase is yours only. Lose it — I can't recover. On the upside, neither can I see your secrets.
📱 A Real PWA
- Install to home screen; behaves like an app.
- Full offline: generation + local vault without internet.
- Cross‑device sync — only when you choose, not "we synced it all, hope you don't mind."
🌍 i18n
From day one: Russian, English, and friends. Languages mount without drama.
🧩 Features
- Password presets and "no O/0 and I/l."
- Passphrases if you prefer "correct‑horse‑battery‑staple."
- Batch generation for a tidy sweep.
- QR to move secrets between devices without messaging yourself.
- Dark mode. Obviously.
Important: this is not a replacement for heavyweight 100,500‑entry managers. It's a pocket multitool — generate, store a few important items, live in peace.
Business Insights
- JTBD: "Quickly generate and store a handful of secrets, offline, no subscription."
- Positioning: privacy‑first, zero‑knowledge, PWA (no vendor lock‑in).
- Monetization (if needed): one‑time unlock/themes/wordlists; B2B white‑label.
- Channels: SEO "password generator", social challenges, privacy communities.
Why These Choices
- No autofill/extensions/"we'll do it all for you." Fewer moving parts = fewer bugs and safer UX.
- Supabase sync with encrypted blobs only. Server as courier, not reader.
- No registration required — stay local if you want.
Who It's For
- Freelancers, developers, anyone signing up for new services often.
- Those who don't want a subscription just to generate passwords.
- Those who like offline and control.
Roadmap (Short and Pragmatic)
- Lightweight import/export.
- More passphrase dictionaries.
- Mini "paranoia mode": auto‑lock on blur.
Postmortem: Why I Shut Down PassWave
In spring 2026, the service was compromised. The attack vector was an axios vulnerability that gave the attacker access to the backend. They got the encrypted blobs stored on the server.
Technically, data was encrypted client‑side — without the user's passphrase it's useless to anyone. But the fact that someone walked into the backend was itself an architectural failure. I didn't want to run a service I no longer trusted.
Decision: shut everything down before things got worse.
What I took away:
- Even a zero‑knowledge architecture doesn't excuse a weak backend.
- Dependencies are attack surface. Especially in a side project where updates slip.
- A pet project with real users is a product — treat it accordingly.
No relaunch planned for now. If it comes back — serverless only, minimal attack surface, strict dependency pipeline.
See also
- PassWave project page
- Self‑host Supabase — how I keep the backend under control