Self-hosting is free forever — clone the repo, deploy it yourself, no fees, no limits from us. The hosted cloud (mydevtools.tech) is a paid service.

What is the difference between self-hosting and MyDevTools Cloud?

Self-hosting is the same codebase running on your own infrastructure — you own the data and pay nothing to us. MyDevTools Cloud is our managed service; it is a paid subscription that covers hosting, sync, and backups.

Sensitive data is encrypted in your browser before it reaches the server where supported. The server stores encrypted blobs for vault-style data instead of readable plaintext.

Do I need an account to use the tools?

Google Sign-In is required to save your data across sessions. Many public tool pages can be explored before opening the full app experience.

Is this truly open source?

Yes. Full source code is available on GitHub under the GPL-3.0 license. You can audit, contribute, fork, or self-host it.

Does it work offline?

Many tools are fully client-side and can work without server processing. Tools that connect to external services, sync data, or send API requests need a network connection.

Security6 min readJanuary 8, 2026

Password Manager for Developers: Secure Storage Without a SaaS Subscription

Learn how developer-focused password managers work, why browser-based encrypted vaults are useful for local credential storage, and how to protect secrets without leaking them.

Try the free online tool mentioned in this guide:Password Manager

Open tool Learn more

Why developers need a dedicated password manager

Developers accumulate secrets faster than almost any other role: database credentials, API keys, staging logins, SSH passphrases, service accounts, .env values, and personal accounts all pile up across projects.

Using a browser autofill or a sticky note for these is a significant security risk. A proper password manager encrypts credentials at rest with a master password derived key — so even if the storage medium is compromised, the attacker gets ciphertext, not plaintext.

How password managers encrypt your data

Most password managers use AES-256 encryption with a key derived from the master password using a slow key derivation function (KDF) like PBKDF2, bcrypt, or Argon2. The KDF makes brute-forcing the master password computationally expensive even with modern hardware.

The encryption and decryption happen on the client — the server (or file) only ever sees ciphertext. This is called zero-knowledge architecture: the service provider cannot decrypt your vault even if subpoenaed.

javascript

// Simplified: what happens when you unlock a vault
const masterPassword = "my-strong-passphrase"
const salt = getCryptographicSalt()  // stored alongside ciphertext

// Derive a key — slow by design (100,000+ iterations)
const key = await crypto.subtle.importKey(
  "raw",
  new TextEncoder().encode(masterPassword),
  "PBKDF2",
  false,
  ["deriveKey"]
)
const aesKey = await crypto.subtle.deriveKey(
  { name: "PBKDF2", salt, iterations: 100000, hash: "SHA-256" },
  key,
  { name: "AES-GCM", length: 256 },
  false,
  ["decrypt"]
)

Browser-based vs cloud-synced password managers

Cloud-synced (1Password, Bitwarden, Dashlane): your encrypted vault is stored on the provider's servers. Sync across devices is automatic. The trade-off is trusting the provider's infrastructure and zero-knowledge claims.

Local / self-hosted (KeePass, Bitwarden self-hosted, browser-based vaults): the encrypted file lives on your machine or your own server. No third-party ever holds your ciphertext. Sync requires your own solution (e.g., Syncthing, a personal S3 bucket).

Browser-based vault tools like MyDevTools Password Manager store credentials in your browser's encrypted local storage — useful for development credentials, staging tokens, and project-specific secrets that you do not want in a cloud service.

Best practices for developer secrets

Use a strong, unique master password — at least 20 characters, ideally a passphrase. Never reuse it.

Never commit secrets to git — use environment variables, .env files (in .gitignore), or a secrets manager like AWS Secrets Manager or HashiCorp Vault for production.

Rotate credentials after a breach — if a service is compromised, assume all stored credentials for that service are exposed.

Separate personal and work vaults — keep work credentials in an org-controlled manager; personal credentials in your own.

Enable 2FA on the password manager itself — your manager is the master key to everything else. Protect it accordingly.

When to use a browser-based vault vs a full password manager

A browser-based vault is ideal for: development environment credentials you access frequently during a session, staging and test account logins, tool-specific API keys used in the browser, and temporary project secrets.

Use a full cross-device password manager (1Password, Bitwarden) for: personal login credentials, production secrets you need on mobile or multiple machines, and anything that must survive a browser profile wipe.

Frequently asked questions

Is a browser-based password manager safe?

Yes, if the vault is encrypted with AES-256 and a master password before storing locally. The critical requirement is that plaintext credentials never leave the browser — all encryption and decryption must happen client-side.

Should I use a password manager for API keys?

Yes. API keys are credentials. Store them in a password manager or secrets manager rather than in code, config files committed to git, or browser autofill.

What is the difference between a password manager and a secrets manager?

A password manager (1Password, Bitwarden) is optimized for human-facing credentials with a UI for browsing and copying. A secrets manager (AWS Secrets Manager, HashiCorp Vault) is optimized for application-to-application authentication with API access, rotation, and audit logs.

What master password strength should I use?

A passphrase of 4–5 random words (e.g., from a wordlist) gives 50–65 bits of entropy — far stronger than a typical complex 10-character password. Length matters more than character variety for passphrases.