unsubbed.co

PearPass

PearPass is a self-hosted security & authentication replacement for 1Password, Dashlane, and more.

Apache-2.0 Free tetherto/pearpass-app-desktop · 399 pass.pears.com JavaScript 1 deploy option Mobile App E2E Encryption

Open-source password management without a cloud, a server, or a subscription — honestly reviewed.

TL;DR

  • What it is: An Apache 2.0-licensed, peer-to-peer password manager built on the Pear Runtime (Holepunch’s distributed app platform). No server, no cloud, no data center — sync happens directly between your devices [website].
  • Who it’s for: Privacy-first individuals who want genuine zero-server password syncing and are comfortable with early-stage, community-driven software. Not for non-technical teams, not for businesses [README][website].
  • Cost savings: PearPass is free. Alternatives like 1Password ($2.99–$4.99/mo per user), Dashlane ($4.99/mo), and even the managed Bitwarden cloud ($10/yr) cost money. The comparison is less about price and more about trust model.
  • Key strength: True peer-to-peer sync — no relay server, no Bitwarden-compatible backend, no Vaultwarden instance to maintain. The threat model is fundamentally different from every other option in this category [website][README].
  • Key weakness: 399 GitHub stars, a dependency on the niche Pear Runtime, a complex multi-repo setup process, and essentially zero independent third-party coverage. This is a project with a compelling architecture and real execution risks.

What is PearPass

PearPass is a password manager that stores passwords, credit card details, secure notes, and custom fields locally on your devices and syncs them directly between those devices using peer-to-peer networking — no intermediary server involved [README][website].

The project is built on Pear Runtime, also known as the Holepunch stack, which is a distributed application runtime developed by the same team behind Tether. The sync layer uses the Hypercore Protocol — the same DHT-based protocol that powers Keet (the P2P chat app PearPass recommends for community support) [README][website]. In practical terms: when you add a password on your laptop, it propagates directly to your phone without touching any server. If your devices aren’t both online at the same time, sync waits.

The available clients are: a desktop app (primary development focus, the GitHub repo is pearpass-app-desktop), a mobile app for iOS and Android (separate repo, available on App Store and Google Play), and a browser extension (also a separate repo) [README][website].

Encryption uses cryptographic primitives from Libsodium — a well-audited, battle-tested library. The project has undergone an independent security audit by Secfault Security, a firm specializing in offensive security and cryptographic analysis, whose report is publicly available [website]. That’s a meaningful data point for a 399-star project — most tools at this star count never get audited at all.

The license is Apache 2.0, which is genuinely permissive — no copyleft complications, no “fair-code” restrictions, no commercial licensing caveats [README].

Why people choose it

Independent third-party reviews of PearPass are scarce — a direct consequence of its size (399 stars as of this writing). That scarcity is itself information: this is not a tool that’s been stress-tested by thousands of teams. What follows is based on the primary sources available: the GitHub README, the official website, and the publicly available security audit [README][website].

The choice to use PearPass comes down to one specific thesis: you don’t trust servers. Not your own VPS running Vaultwarden. Not Bitwarden’s cloud. Not 1Password’s infrastructure. You want a password manager where the cryptographic guarantee is that your vault data never touches a machine you don’t physically control. PearPass is, to our knowledge, the only password manager with a meaningful user base that architecturally delivers on this without requiring you to be your own network engineer.

Every other self-hosted option in this category — Bitwarden, Vaultwarden, Passbolt — still requires you to run a server that holds (encrypted) data. If that server is compromised, the vault data is at risk. PearPass’s threat model eliminates that attack surface by design. There’s no server to compromise [website][README].

The trade-off people are making when they choose PearPass over Bitwarden is: better trust model, worse ecosystem maturity. That’s not a knock — it’s the correct framing.

Features

From the README and website:

Core vault:

  • Passwords, identities, credit card details, secure notes, custom fields [README]
  • End-to-end encryption via Libsodium cryptographic primitives [website]
  • Password strength analysis [README]
  • Built-in random password generator [README][website]
  • Offline access — all data stored locally [README][website]

Sync:

  • P2P cross-device sync via Pear Runtime / Hypercore Protocol [README][website]
  • Desktop ↔ mobile ↔ browser extension (separate repos, same vault) [README]
  • No relay server required; both devices communicate directly [website]

Security:

  • Independent security audit by Secfault Security (report publicly available as PDF from the website) [website]
  • Open-source — full code available for inspection [README]

What’s not there (conspicuously):

  • No team/organization vaults
  • No emergency access or sharing features mentioned
  • No SSH key management
  • No TOTP/2FA code storage mentioned in the README
  • No self-hosted server option (by design — there is no server)
  • Browser extension exists but autofill maturity is unclear from available sources [README]

Pricing: SaaS vs self-hosted math

PearPass has no pricing page and no paid tier. The software is free, Apache 2.0, and runs on free infrastructure (Pear Runtime is also open source) [README][website].

The relevant financial comparison is against the alternatives you’re choosing between:

OptionAnnual cost (individual)Server required
PearPass$0No
Bitwarden Cloud$10/yr (premium)No (their cloud)
Vaultwarden self-hosted~$60–120/yr (VPS)Yes
1Password$35.88/yrNo (their cloud)
Dashlane Premium$59.88/yrNo (their cloud)
KeePassXC$0No (no sync)

PearPass wins on price against everything except KeePassXC. But KeePassXC has no sync at all — you manually copy a database file. PearPass delivers sync at $0 with no server. That combination is genuinely unusual [website][README].

The catch is that “free” applies to the software. If syncing doesn’t work reliably because P2P connections fail in your network environment (corporate firewalls, carrier-grade NAT), you’re paying in time and frustration rather than money.

Deployment reality check

This is where PearPass diverges sharply from every other tool in this review series. There’s no Docker image, no VPS to spin up, no docker-compose.yml to run.

For end users: Download the desktop app from the website or mobile app from the App Store/Google Play. If the downloads work, setup is probably closer to a conventional app install than a self-hosted deployment [website].

For anyone who wants to build from source: This is where it gets complicated. The README lists 17 sibling modules that must be present in the workspace and are not declared as npm dependencies [README]:

pearpass-lib-vault
pearpass-lib-vault-core
pearpass-lib-data-export
pearpass-lib-data-import
pearpass-lib-ui-theme-provider
pear-apps-lib-feedback
pear-apps-lib-ui-react-hooks
... (and 10 more)

These modules live in separate repositories under the tetherto GitHub organization. There’s no monorepo setup script, no single clone-and-run. You’re manually cloning and arranging a workspace. For a non-technical founder, this is a hard no. For a developer comfortable with JavaScript tooling, it’s doable but tedious [README].

The actual run command after setup: pear run --dev . — which requires Pear to be installed globally first [README].

What can go sideways:

  • P2P sync depends on both devices being reachable. Corporate firewalls, NAT, and restrictive mobile carrier networks can block direct Hypercore connections. Data not available on whether there’s a fallback relay mechanism.
  • The multi-repo workspace structure has no documented “getting started for contributors” path beyond the README’s terse instructions.
  • 399 stars means a small community and slower bug resolution. If something breaks, you’re likely debugging it yourself or waiting.
  • Browser extension maturity is unknown from available sources — the repo exists but there’s no documentation on how well autofill works in practice.

Pros and Cons

Pros

  • True zero-server architecture. No server to maintain, no VPS to patch, no database to back up. Your vault exists only on your devices. This is architecturally superior to every server-backed alternative for the threat model of “I don’t trust third-party infrastructure” [website][README].
  • Apache 2.0 license. No restrictions, no commercial caveats, no copyleft. Fork it, embed it, modify it [README].
  • Independently audited. A security audit by a named, specialized firm (Secfault Security) with a publicly available report is a meaningful signal of seriousness for a project this size [website].
  • Free, including sync. No subscription, no per-user pricing, no premium tier gating sync [website].
  • Libsodium. Using a well-understood, audited cryptographic library rather than rolling custom crypto is the right call [website].
  • Desktop + mobile + browser extension. The full client surface exists, even if maturity varies [README].

Cons

  • 399 stars. Small community = slower issue resolution, fewer people who’ve hit your specific problem, higher probability that edge cases are undiscovered bugs rather than documented limitations.
  • Pear Runtime dependency. Pear is niche. You’re adopting a second unconventional technology (alongside the password manager itself) that most developers haven’t heard of. If Holepunch/Tether changes direction on Pear, PearPass’s sync layer is affected.
  • Multi-repo workspace setup. Building from source requires manually arranging 17+ sibling repositories. There’s no documented one-click developer setup [README].
  • No independent reviews. We couldn’t find any meaningful third-party coverage of PearPass. That’s not always a red flag — niche tools fly under the radar — but it means there’s no external validation of real-world reliability at scale.
  • P2P sync reliability is unknown. The website claims “effortless P2P syncing” but provides no detail on how it handles NAT traversal, device offline scenarios, or conflict resolution [website]. These are hard problems and the solutions aren’t documented publicly.
  • No team features. Shared vaults, team management, RBAC — none of it. This is a personal password manager only [README][website].
  • Browser extension autofill maturity unknown. The repo exists but there’s no documentation on real-world autofill reliability [README].
  • Community on Keet, not Slack/Discord. Support lives in a P2P chat app that most people don’t have installed. Getting help requires downloading another Holepunch product [website].

Who should use this / who shouldn’t

Use PearPass if:

  • You have a genuine zero-server trust requirement — you don’t want your vault data on any machine you don’t control, including your own VPS.
  • You’re an individual or a very small group of technically capable people.
  • You’re comfortable with early-stage software that may have rough edges.
  • You want to support the Hypercore Protocol ecosystem and P2P software broadly.
  • You have time to debug sync issues if they arise.

Skip it (use KeePassXC) if:

  • You want zero-server and are fine managing sync manually (cloud drive, USB, SyncThing). KeePassXC is more mature, has more integrations, and a larger support community.

Skip it (use Vaultwarden) if:

  • You already run a VPS or home server. Vaultwarden is Bitwarden-compatible, battle-tested by tens of thousands of self-hosters, has a full browser extension with mature autofill, and the Bitwarden ecosystem is vast. The operational burden of maintaining a VPS is offset by the reliability gains.

Skip it (use Bitwarden Cloud) if:

  • You’re a non-technical founder who wants to escape 1Password pricing. Bitwarden’s free tier covers one person and its $10/yr premium tier covers almost everything you’d need. The trust model is “Bitwarden holds encrypted data, keys stay on your device” — which is acceptable for most threat models and doesn’t require any technical setup.

Skip it (use Passbolt) if:

  • You’re managing passwords for a team. Passbolt is built for team workflows, RBAC, and shared credentials, with a self-hosted community edition.

Alternatives worth considering

  • KeePassXC — Desktop-only, no sync, but maximum maturity and community. The sync-less option for maximum control.
  • Vaultwarden — Self-hosted Bitwarden-compatible server. Best option if you have a VPS and want full Bitwarden client support (excellent browser extension, mature mobile apps, team features).
  • Bitwarden — The benchmark for open-source password managers. Cloud and self-hosted options, massive ecosystem, audited, 1Password-competitive features at a fraction of the price.
  • Proton Pass — Open-source, cloud-based, from the ProtonMail team. Free tier, end-to-end encrypted, no self-hosting.
  • Passbolt — Team-focused, self-hosted, GPG-based. Best for organizations needing shared credential management.

For a non-technical founder evaluating this category, the realistic shortlist is Bitwarden vs Vaultwarden vs PearPass. Bitwarden if you want something that just works. Vaultwarden if you have a server and want full control. PearPass if you specifically don’t want any server and can tolerate early-stage software.

Bottom line

PearPass has a genuinely interesting architectural bet: eliminate the server entirely, not just your dependence on a vendor’s server. For the specific threat model of “I don’t trust any server with my vault data, including my own,” it’s the only real option. The Apache 2.0 license, Libsodium encryption, and independent security audit are all signals of serious intent. But 399 stars, a niche runtime dependency, multi-repo setup complexity, and a near-total absence of third-party reviews mean you’re accepting meaningful early-adopter risk. This is a tool worth watching — not yet a tool to bet your credentials on unless you’re technically equipped to handle rough edges and willing to contribute back when you find them.

Sources

Primary sources:

Note: No meaningful independent third-party reviews of PearPass were located at the time of writing. The search results returned for this review contained unrelated pages. All claims above are derived from primary sources only.

Features

Authentication & Access

  • Password Management

Customization & Branding

  • Custom Fields

Security & Privacy

  • Encryption

Mobile & Desktop

  • Mobile App
  • Offline Mode

Category

Security & Authentication (159)

Replaces

1Password
14 tools
Dashlane
9 tools
Keeper
11 tools
proton-pass
Proton Pass
5 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0