The person behind the vault

Built because the right tool didn't exist

Most password managers are either architecturally naïve or prohibitively expensive. HexVault is built on the premise that cryptographic security and usability are not in tension — they just require a different starting point.

MH
Founder
Michael McCarthy
Cybersecurity Analyst  ·  Sole Developer  ·  UK

I've spent years doing incident response — walking into organisations after something went wrong and working out what happened. Credentials, almost always. Passwords in the wrong place, access that was never properly revoked, a shared admin account nobody wanted to touch. After the third time I wrote the same root cause analysis, I stopped writing reports and started writing code.

HexVault is a side project that got serious. I built it because I wanted to use it — and because I couldn't justify recommending any of the existing options to the small teams I worked with. Too expensive, too complex, or architecturally wrong in ways that most people wouldn't notice until it was too late.

It's still just me. That means the roadmap moves at the speed of one person working evenings and weekends, and some things take longer than I'd like. But it also means every decision is mine, the architecture has never been compromised for a feature, and I actually use this thing every day.

Connect on LinkedIn
Zero-knowledge Cryptography Incident response Access management Threat modelling Python / Flask PostgreSQL Docker

Why this exists and why it's different

The third time I sat in a post-incident call and wrote “credentials in the wrong place” as the root cause, I closed the report template and opened a text editor. Not to write another report. To write the spec for the thing I wanted to exist.

The pattern was always the same. A leaver whose access was “revoked” in the ticketing system but never actually removed from the shared vault. An admin account with no audit trail, shared between three people who all knew the password. A four-month exfiltration that nobody caught because there were no quorum requirements on sensitive operations — just trust, and the assumption that trust would hold.

The tools that could have prevented this were either priced at £60k a year (fine if you're a large enterprise, useless if you're a 25-person team trying to do the right thing) or architecturally naive — cloud-synced, policy-based rather than cryptographic. Most password managers are built around the assumption that the server is trustworthy. I'd spent enough time in incident response to know that assumption eventually breaks.

So I built around a different assumption: the server is hostile. Everything is encrypted client-side before it leaves your device. The server stores ciphertext it cannot read. Access revocation is mathematical, not procedural. Multi-party approval is enforced by the architecture, not by convention.

Every feature traces back to a real incident. The per-entry key derivation — because a single compromised master password shouldn't expose everything. The structured offboarding — because “we removed their Slack” is not offboarding. The anomaly detection — because four months is too long to not notice. None of this is theoretical. It's what I wish had existed on the days I needed it most.

v6.39.78
Current version, iterating fast
3
Cryptographic vault domains
AES‑256
Per-entry GCM encryption
0
Plaintext stored on our servers
Principles
The decisions that never change
01
Zero-knowledge, always

The server stores ciphertext. Only you hold the key. This is not a policy — it is the architecture. No feature will ever compromise this.

02
No single point of trust

Multi-party approval is not optional for sensitive operations. No admin, including the platform itself, should be able to act unilaterally on your credentials.

03
Honest about limitations

HexVault has not been independently audited yet. That is stated clearly. No feature is positioned beyond what the current architecture actually delivers.

04
Built to be replaced

Your data should always be exportable in a standard format. No lock-in. If something better comes along, you should be able to leave cleanly.

Build log
How we got here
Early 2025
The problem becomes undeniable

A third incident response engagement in six months where credentials were found in the wrong vault. The pattern was clear. No existing tool solved it correctly.

Mid 2025
Architecture first, code second

Six weeks spent designing the cryptographic separation model before writing a single line of application code. Per-entry key derivation, group key distribution, domain isolation.

Late 2025
Core vault ships

Personal vault, breach monitoring, TOTP storage, secure notes, WebAuthn. The foundation everything else builds on.

Early 2026
Team, Family & Enterprise tiers ship

Multi-party approval, structured offboarding, anomaly detection, credential access logging, org vault schema. The governance layer that makes HexVault genuinely enterprise-grade.

April 2026
Browser extension goes live on Chrome Web Store

Extension live with autofill, TOTP, breach badges, and passphrase generator. SSO/SAML, cloud backup, emergency access, groups, admin portal, and desktop app all shipped. Firefox and Edge submissions pending.

Now
Iterating in public

Version 6.39.78. Security audit scoped. Billing fully live. Shipping fixes and features in response to real users. The roadmap is short and honest.

If this resonates,
try it

14 days free. No credit card. Your data encrypted client-side from the first entry.

Start free trial Get in touch