Oliver Servín

February 2, 2026

How hard could it be? Building my own password manager

I lost access to my password manager.

After years of jumping from Chrome's built-in manager to 1Password to Secrets (included in my Setapp subscription), I stopped paying for Setapp and suddenly found myself locked out of all my passwords.

I could have migrated to a free alternative like Bitwarden or KeePass. But I had something else going for me: I now work fewer hours at my paid job, which means more free time.

So I asked myself a question: How hard could it be to build my own password manager?

The result

A few weeks later, I had a working password manager at password.antihq.com. It's free, it's open source, and it handles 90% of what I actually need from a password manager.

You can sign up right now if you want. But here's the thing that surprised me: it wasn't hard.

The problem

Let me back up. I've been using password managers for over a decade. Chrome → 1Password → Secrets. They worked, sure. But they were all commercial products with features I never touched, interfaces I didn't design, and subscriptions I kept paying.

When I lost access to Secrets, I faced a choice: migrate to another commercial product, or finally build something that fit my needs exactly.

I chose to build it.

The peak insight: 90% of needs, 10% of complexity

Here's what I realized through this process: the features I actually use represent a tiny fraction of what commercial password managers offer.

What I actually need:

  1. Logins: Store service name, username, password, and website
  2. Password generation: Auto-generate strong passwords when signing up for new services
  3. Copy-paste: Quickly copy username or password to clipboard
  4. Search: Find logins instantly (Command+K for the win)
  5. Notes: Store backup codes for 2FA or any other related info
  6. Website quick-access: Open the login page directly from the password entry
  7. Credit cards: Store card details for online purchases
  8. Team sharing: Occasionally share logins with others (or just use the personal team for myself)

That's it. Browser extensions, autofill, dark patterns, and subscription tiers. They're all noise.

The insight: You don't need a feature-packed commercial product. You need the 10% of features you actually use, built your way.

How I built it

I used Laravel as my web framework. Why? Because I could host it on my personal web server and access it from any device. Plus, Laravel made this surprisingly fast.

Here's the stack:

  • Laravel: Web framework and backend
  • Laravel Jetstream: Authentication and team features out of the box
  • Encryption casting: Built-in Laravel feature that encrypts passwords and notes in the database
  • Unavatar: Service that pulls favicons for websites
  • MySQL: Database storage

The workflow:

  1. Add a new entry: name (service), username (usually email), password (auto-generated or overwrite with existing), website URL
  2. The app shows the favicon via Unavatar
  3. View the entry → copy password → click link to open website → paste
  4. Same flow for username: one button to copy

Smart touches:

  • Username suggestions from existing entries (since I reuse emails across services)
  • Command+K to focus search and find logins instantly
  • Notes section for 2FA backup codes or anything else
  • Credit card storage separate from logins (number, name, expiry, CVV)
  • Team features built in through Jetstream (invite members, share credentials)

The entire experience is designed around one goal: make copy-pasting passwords as frictionless as possible.

Why simple beats complex

Most password managers push browser extensions and autofill as killer features. I built neither.

Here's why: I chose copy-paste over autofill.

In 2023, many major password managers were compromised by the AutoSpill exploit. It's a vulnerability where malicious landing pages with invisible fields trick password managers into autofilling credentials without your knowledge. 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all affected.

Proton's take on this: automated autofill is dangerous because it fills any field without your permission. Their solution is manual autofill: wait for you to interact with fields before filling them. This adds a layer of security and gives you a chance to verify you're on the right website.

That's a reasonable approach. But I went a step further.

I eliminated autofill entirely and built a copy-paste workflow. When I need to log in, I open my password manager, copy the password, click the website link, and paste. It's two clicks, zero extension trust required, and no background processes running on my machine.

Is this the objectively most secure approach? Maybe not. Manual autofill would also work. But it's the approach that gives me the most control and transparency. I know exactly what's happening at every step.

This is the minimalist mindset in action: build only what you need, and build it well.

Security considerations

I didn't go crazy with encryption because Laravel handles the heavy lifting.

What I did:

  • Passwords and notes are encrypted in the database using Laravel's built-in encryption casting
  • The app runs on my personal server (full control)
  • HTTPS everywhere
  • No unnecessary data collection

What I didn't do:

  • I didn't build my own encryption algorithm (don't do this)
  • I didn't overengineer the architecture
  • I didn't try to compete with LastPass on features

The 2FA decision:

I didn't build 2FA code generation into my password manager. Why? Because 2FAS Auth already exists and it's fantastic.

I use 2FAS on my iPhone and their Safari extension. When I log in somewhere with 2FA enabled, 2FAS pings me with the code. It works perfectly. I don't need to reinvent that wheel.

This is a general rule of building your own tools: don't build what someone else has already solved well. Build the parts that matter to you, integrate with the rest.

Why every developer should build their own tools

Here's the real lesson from this project: understanding beats convenience.

When I used commercial password managers, I trusted that they knew what they were doing. I didn't question their security practices, their feature decisions, or their business model. I just paid and used.

When I built my own, I had to understand:

  • How encryption actually works in practice
  • What security trade-offs matter and which don't
  • What I actually need vs what I think I need
  • How much complexity is necessary vs unnecessary

This understanding is worth more than any feature list. It makes me a better developer, a more informed security-conscious user, and someone who can make better decisions about the tools I rely on daily.

And here's the kicker: modern frameworks make this possible for individual developers.

Laravel, encryption casting, Jetstream. These are tools that let one person build what companies sell as products. The barriers to building your own tools have never been lower.

The takeaway

I built a password manager that handles 90% of my needs in a fraction of the time I expected. It's simple, it's secure, it's mine.

The next time you find yourself frustrated with a tool you use every day, ask yourself: How hard could it be to build my own?

You might be surprised.

My password manager is open source at github.com/antihq/password and available for free at password.antihq.com. If you find it useful, let me know. If not, maybe build your own. It's easier than you think.

About Oliver Servín

Working solo at AntiHQ, a one-person software company.