Open Source Manifesto

The THEMES dictionary defines 7 distinct color palettes (Midnight, Forest, Crimson, Ocean, Cyberpunk, Nebula, Ghost). Each theme contains accent colors, hover states, and background configurations. This allows users to personalize the vault interface while maintaining cryptographic integrity.

THEMES = {
    "Midnight": {"accent": "#5D3FD3", "hover": "#4832A8", "bg_dark": "#0D0D0D"},
    "Forest": {"accent": "#2D6A4F", "hover": "#1B4332", "bg_dark": "#081C15"},
    "Crimson": {"accent": "#A4161A", "hover": "#660708", "bg_dark": "#0B090A"},
    # ... 4 more themes
}

The L10N class provides full Turkish/English bilingual support. All UI strings are centralized in a STRINGS dictionary, allowing runtime language switching without application restart. This architecture ensures zero hardcoded text in the UI layer.

class L10N:
    STRINGS = {
        "en": {"title": "PassForge Pro V9", "unlock": "UNLOCK ACCESS", ...},
        "tr": {"title": "PassForge Pro V9", "unlock": "ERİŞİMİ AÇ", ...}
    }

The authentication core uses PBKDF2-HMAC-SHA256 with 150,000 iterations to derive encryption keys. Password verification uses bcrypt with 12 rounds of salt stretching. This dual-layer approach ensures that even leaked hashes are computationally infeasible to crack.

@staticmethod
def derive_key(password: str, salt: bytes) -> bytes:
    kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=salt, iterations=150000)
    return base64.urlsafe_b64encode(kdf.derive(password.encode()))

The encrypted database layer combines SQLite with Fernet symmetric encryption. The Fernet key is derived from the master password and never stored on disk. Each password entry is individually encrypted, providing granular access control even within the same vault.

class VaultDB:
    def __init__(self, key: bytes, folder_path: str):
        self.fernet = Fernet(key)
        self.db_path = os.path.join(folder_path, "vault.db")
        # SQLite schema with encrypted_pass BLOB column

The Ghost Protocol generates decoy files in system directories to mask the application signature. Silent UAC elevation uses recursive ShellExecute calls with hidden console windows. Secure delete overwrites file contents with random data before unlinking.

@staticmethod
def ghost_protocol():
    paths = [os.environ.get('TEMP'), os.path.join(os.environ.get('SystemRoot'), 'Prefetch')]
    for p in paths:
        for _ in range(8):
            f = os.path.join(p, f"sys_cache_{random.randint(100, 999)}.tmp")
            with open(f, "wb") as dummy: dummy.write(os.urandom(random.randint(1024, 8192)))

def generate_password(length=32):
    alphabet = string.ascii_letters + string.digits + "!@#$%^&*"
    while True:
        password = ''.join(secrets.choice(alphabet) for _ in range(length))
        if (any(c.islower() for c in password)
                and any(c.isupper() for c in password)
                and sum(c.isdigit() for c in password) >= 3):
            return password

def clear_clipboard_thread():
    time.sleep(45)
    try:
        pyperclip.copy("")  # Overwrite with empty string
    except Exception:
        pass  # Handle race conditions gracefully

def restore_entry(self, entry_id):
    # Atomic transaction to move entry back from trash
    cursor.execute("INSERT INTO passwords SELECT ... FROM trash WHERE id=?", (entry_id,))
    cursor.execute("DELETE FROM trash WHERE id=?", (entry_id,))
    self.conn.commit()

• Windows-only: Requires Windows 10/11 with Python 3.8+
• No cloud sync: Data remains strictly local (intentional security choice)
• Manual backup required: Automatic cloud backup not available
• Single-user vault: No multi-user access control in current version