Chapter 1: Why Stateless?
The strongest argument for a fundamentally different approach to password management.
The Vault Paradox
Every traditional password manager — regardless of how strong their encryption is — shares the same fundamental architectural flaw: they store your passwords. Not in plaintext, but stored. Which means a target exists.
When you encrypt a vault and put it on a server, you've created a mathematical problem that becomes increasingly worth solving as your vault's value grows. Adversaries can download an encrypted vault, then attempt to crack it offline, at unlimited speed, for as long as computing power allows — including future quantum computing advances.
What Stateless Means
FrankPass inverts this architecture. Instead of retrieving a stored password, it derives one from inputs you provide. The password is not stored anywhere — not on our servers, not in your browser's storage, not in a local file. It exists only in your browser's memory for the moment between generation and use.
This means there is no vault to breach. No target to attack. No honeypot to steal.
The Mathematical Guarantee
Deterministic cryptography is the foundation: given identical inputs, a cryptographic function always produces an identical output. This property — called determinism — is what makes FrankPass possible. Your password is a pure mathematical consequence of three things you know: the platform name, your secret key, and the variant number.
Change any one of these and you get a completely different password. Keep them the same and you always get the same password — on any device, in any country, offline, forever.
The Threat Model Comparison
With a cloud vault, you must trust the company's server security, their encryption implementation, their employee access controls, and their backup procedures. A failure in any of these exposes all of your passwords simultaneously.
With FrankPass, your only secret is your secret key — a string that lives only in your memory. An attacker who breaches our servers (which store nothing) gains nothing. An attacker who intercepts network traffic during generation gains nothing — there is no network traffic during generation. The attack surface is reduced to a single variable: your secret key.
// The verification loop — same inputs, always same output
PBKDF2(secretKey, contextVector, 1,000,000 iterations, SHA-512)
→ HMAC-SHA512 expansion
→ Character mapping with ambiguity removal
→ Your password
Enhanced Security Through Simplicity
Stateless systems reduce the attack surface dramatically. There is no database to breach, no encrypted vault to crack, no backup file to steal. The only way to obtain someone's FrankPass-generated password is to know their secret key — and that is never transmitted, never stored, and never leaves their mind.
Chapter 2: How It Works
A step-by-step walkthrough of the cryptographic process inside FrankPass.
Step 1 — Local Pepper Generation
Before the main derivation, FrankPass generates a local pepper using HMAC-SHA512 followed by 1,000 rounds of SHA-256. This pre-processing step creates a unique intermediate value that anchors the derivation to your specific combination of platform and username — preventing cross-site correlation attacks.
Step 2 — Context Vector Construction
A structured context string is built from all inputs: the application ID, version, platform name, username, pepper, variant, profile, and desired length. Each field is prefixed with its length to prevent length-extension attacks. This entire string is normalized using Unicode NFC normalization to ensure cross-platform consistency.
Step 3 — PBKDF2 Key Derivation
The core of the engine. PBKDF2 (Password-Based Key Derivation Function 2) is applied with SHA-512 as the hash function, using the context vector as the salt and running for 1,000,000 iterations. This computational cost is by design — it makes brute-force attacks prohibitively expensive. Deriving one password candidate takes roughly one second on modern hardware; an attacker testing millions of candidates would need millions of seconds.
Step 4 — HMAC-SHA512 Expansion
The 512-bit output from PBKDF2 is expanded using two rounds of HMAC-SHA512. This produces 128 bytes of high-entropy output — more than enough raw material to construct passwords of any requested length while maintaining maximum entropy.
Step 5 — Character Mapping
The byte stream is mapped to characters using bias-free rejection sampling — a technique that ensures each character in the output is uniformly distributed. Visually ambiguous characters (l, I, O, 0, 1, C, c, S, s, V, v, W, w) are excluded. The algorithm then verifies that the password satisfies the character class requirements of the selected profile and makes surgical replacements if needed.
Chapter 3: Keys vs Passwords
Understanding the distinction between your Secret Key and the passwords FrankPass generates.
Your Secret Key
Your secret key is the master seed. It is the one piece of information you must protect and never forget. It should be something deeply personal — a phrase, a pattern based on events only you know, or a combination of memorable elements. The best secret keys are long, memorable to you, and impossible for others to guess.
Your secret key is never transmitted, never stored, and never logged. It exists only in your browser's memory while you are using the generator, and is automatically cleared after 2 minutes of inactivity.
Generated Passwords
The passwords FrankPass generates are the output — not inputs. They are strong, unique per platform, and reproducible. You don't need to remember them; you need to be able to re-derive them. As long as you remember your secret key and the settings you used, you can always reproduce any password.
The Critical Rule
Never use a generated password as your secret key. And never use your secret key as a password anywhere. The secret key is your master seed — if an attacker ever learns it, they can derive all your passwords for all platforms. Protect it accordingly.
Chapter 4: Security Model
What FrankPass protects against, and what remains your responsibility.
Protected Against
FrankPass's architecture protects you from server-side breaches (nothing to steal), network interception (no network traffic during generation), and database leaks (no database exists). Because every platform gets a unique password derived from the same key, a breach at one website reveals nothing about your passwords at any other website.
Responsibility Boundary
FrankPass does not protect against keyloggers on your device, shoulder surfing, or a compromised browser. It also cannot protect you if your secret key is guessable or if you share it with others. Security is a system — FrankPass secures the password storage and generation layer. Device security, phishing awareness, and secret key hygiene remain your responsibility.
Open Algorithm
The cryptographic engine in frankpass-core.js uses only the Web Cryptography API — browser-native cryptography that is audited, standardized, and used by financial institutions worldwide. PBKDF2 and HMAC-SHA512 are NIST-approved primitives. There is no proprietary cryptography, no custom hash functions, no security through obscurity.
Chapter 5: Advanced Options
A complete reference for every option in the generator's advanced panel.
Username Field
Leave this blank unless you have multiple accounts on the same platform. Changing your email or username on a website and having it in this field will produce a different password — potentially locking you out. The only valid use case is differentiating between, for example, two Instagram accounts you manage.
Variant Counter
The variant counter is your password rotation tool. If a website forces you to change your password, or if you believe a password may have been compromised, increment the variant number from 1 to 2 (or any number up to 99). This produces a completely new password for that platform without changing your secret key or any other settings. Keep a note of which variant number you're using for each platform.
Password Length
The length slider controls how many characters the generated password contains, from a minimum of 8 to a maximum of 32. Longer passwords are always more secure. Use 32 characters (the Max preset) for your most important accounts. Use shorter lengths only when a website has a character limit — and note that limit for future use.
Profile Presets
Three presets are available. Simple uses alphanumeric characters only (letters and numbers, no symbols) and sets length to 12 — for websites that don't accept symbols. Strong is the default: all character classes including symbols, length 16, providing excellent security for most purposes. Max uses all character classes at length 32 — the maximum possible entropy for any given secret key and platform combination.
Chapter 6: Platform Tips
How to handle common scenarios when using FrankPass with real-world websites.
Domain Normalization
FrankPass automatically normalizes whatever you type into the platform field. Whether you enter facebook, facebook.com, www.facebook.com, or m.facebook.com, the generator strips everything down to the base domain name. This means you always get the same password regardless of which URL variant you type.
Websites That Reject the Generated Password
Some older platforms have restrictive password policies — they may not accept symbols, or may have maximum length limits shorter than your setting. If a website rejects your password: first, try the Simple preset (alphanumeric only). If that doesn't work, reduce the length. Always note which settings you used for that website, because you'll need to use those exact settings every time you log in.
High-Security Accounts
For banking, email, and other critical accounts, use the Max preset (length 32, standard profile). Enable the Variant field and set it to a number you'll remember. Never use the same variant for high-security accounts as you do for routine ones.
Multiple Accounts on One Platform
If you manage multiple accounts on the same platform (e.g., two email addresses on Gmail, or two Instagram profiles), use the Username field to distinguish them. Enter something stable — ideally a fixed identifier like the account number or handle — not a changeable email address.
Chapter 7: SDK Coming Soon
The FrankPass JavaScript SDK will expose the same PBKDF2 + HMAC-SHA512 engine as a standalone npm package and browser module, so developers can integrate stateless password generation into their own applications. Documentation will appear here at launch.
Follow @iamfrankpass for the release announcement.