Passwords

EXTRACT DOMAIN NAME FROM URL:

URL:

DOMAIN:

LENGTH:

PHRASE: CLEAR IN * SECONDS

HASH:

SHOW:

What is this?

This is a demo app for generating secure passwords based on a passphrase and a domain name. Similar to all password managers you enter a primary password to reveal the password for a specific domain. However, there is no need to store any passwords. You just need to remember one primary password and the generator will generate a unique password for each domain. If you switch devices or browsers, you will always have access to your passwords without the need to synchronize them.

How does it work?

The generator calculates a 256 bit hash from the passphrase, the domain name and an incrementing salt using the SHA256 algorithm. To meet the password requirements of most websites (letters, digits, special characters), the hash is base 90 encoded using the following alphabet:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%"&/\()_+-=[]{};:'|,.<>?

If the password requirements are not met, the salt is incremented and the hash is recalculated until you get a valid password.

But my password manager is more convenient!

No worries, you don't need to visit this site every time you need to access your passwords. The source code of Passwords is designed to work with the the Tampermonkey browser extension (available for all major browsers). It will prompt you for your primary password and automatically fill in the generated password.

How to install the Tampermonkey script?

Install the Tampermonkey browser extension.
Click on the Tampermonkey icon in your browser.
Click on "Create a new script..."
Copypaste this script into the editor.

Note: In general, you should not copy and execute scripts that you do not understand, especially if they involve security-related functionality. If you don’t understand what this script does, you should better not use it.

How to use the Tampermonkey script?

Make sure the Tampermonkey script is enabled. Visit a login page of a website.

CTRL + ALT + G will generate a password from your primary password and fill it in the password field.

CTRL + ALT + [0-9] will fill in a username. The first time you use it, you will be prompted to enter a username.

CTRL + ALT + MINUS will delete all usernames as well as the hash of your primary password.

Why is the hash of my primary password stored?

The hash is stored so the script can verify that you entered the correct primary password without knowing the password. This is a common practice - SHA256 is a one-way function and the hash cannot be reversed to reveal the password.
However, weak passwords can still be cracked through brute-force attacks. To mitigate this, the hashing process in this script runs for thousands of iterations, making such attacks significantly more difficult.

Warning

As with all password managers, the security of your stored passwords depends on the strength of your primary password. If your primary password is weak, all your passwords are at risk. Make sure to use a strong password and never share it with anyone. A strong password must be unpredictable, meaning it should not be based on dictionary words, names, or common phrases. It should contain a mix of letters, digits, and special characters and be at least 16 characters long.

Disclaimer

As stated in the LICENSE, the author of this software is not responsible for any damages or losses resulting from the use of this software. Use at your own risk.