Pass Tech v2.5.0

Why Pass Tech

A password manager with no cloud, no account, no server — truly.

Radical privacy

Pass Tech goes beyond classic password managers with four unique protections.

Decoy vault — cryptographic plausible deniability

Set up a 2^nd password that opens a fake vault filled with credible dummy entries. If someone forces you to open the app (border, inspection, theft, assault), you provide the decoy password. The app shows an alternate vault — it is cryptographically impossible to prove the existence of the real one:

• Two indistinguishable encrypted files, two distinct salts in secure storage
• Constant-time unlock (always 2× Argon2id m = 19 MiB, t = 2) — no side-channel reveals whether a decoy vault is configured
• 2 Keystore aliases (pt_vault_kek_v1 + pt_vault_kek_decoy_v1) systematically created on install — Keystore inspection does not reveal decoy usage
• Biometrics intentionally scope-locked to the main vault to avoid betraying the dual-vault

Panic mode — three protections in one tap

• Immediate vault lock (key wiped from RAM)
• Clipboard clearing
• Pass Tech icon camouflage as "Calculator" on the launcher (reversible from Settings)

Inheritance — 100 % local digital will

Set up a separate password for a loved one (spouse, child, executor). If you do not use the app for N days (90 by default, 30 to 365 configurable) + 7 grace days, the "Heir access" option appears on the unlock screen.

• Separate encrypted snapshot (pt_heir.enc) — AES-256-CBC + HMAC-SHA256, PBKDF2 600,000 iterations
• If you log in again during the grace period, the counter is reset
• The heir password is never stored and cannot be recovered — you communicate it to your heir securely (orally, will, bank safe)
• No cloud, no trusted third party, unlike competitors' "Emergency Access" features that route through their servers

Per-domain anti-phishing — check before copy

Before copying a password or 2FA code, Pass Tech checks that the foreground browser is actually displaying the entry's domain. If a malicious site tries to trick you (typosquatting like paypaI.com, fake site paypal-secure.evil.com), an alert is shown comparing the domains.

• 9 supported browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Samsung Internet, DuckDuckGo, Fenix
• Typosquatting detection via Levenshtein distance (threshold ≤ 2)
• Legitimate subdomains accepted (login.example.com ↔ example.com)
• Dedicated Android accessibility service, strict restriction to declared browsers — no other app is read
• Root domain only, volatile memory, 15 s freshness window (beyond: unknown fail-safe verdict), no persistent log, no network egress
• Can be disabled anytime from Android Settings