{"id":15663987,"url":"https://github.com/waldyrious/hash-my-pass","last_synced_at":"2025-08-27T09:45:41.488Z","repository":{"id":1824351,"uuid":"2748621","full_name":"waldyrious/hash-my-pass","owner":"waldyrious","description":"A bookmarklet to generate unique passwords per website, based on a single master password.","archived":false,"fork":false,"pushed_at":"2019-03-18T00:24:20.000Z","size":2210,"stargazers_count":18,"open_issues_count":21,"forks_count":3,"subscribers_count":3,"default_branch":"gh-pages","last_synced_at":"2025-03-30T04:13:04.511Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://waldyrious.github.io/hash-my-pass/bookmarklet.min.html","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"jlong/sass-bootstrap-defunct","license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/waldyrious.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-11-10T13:22:26.000Z","updated_at":"2025-01-02T03:22:58.000Z","dependencies_parsed_at":"2022-09-04T16:10:28.963Z","dependency_job_id":null,"html_url":"https://github.com/waldyrious/hash-my-pass","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waldyrious%2Fhash-my-pass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waldyrious%2Fhash-my-pass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waldyrious%2Fhash-my-pass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waldyrious%2Fhash-my-pass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/waldyrious","download_url":"https://codeload.github.com/waldyrious/hash-my-pass/tar.gz/refs/heads/gh-pages","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250528681,"owners_count":21445511,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T13:40:44.093Z","updated_at":"2025-04-23T22:42:23.584Z","avatar_url":"https://github.com/waldyrious.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"**Hash My Pass** is a JavaScript bookmarklet\nthat generates a password for a given site\nby hashing a master password with the site's domain\n(using the [SHA-256](http://en.wikipedia.org/wiki/Secure_Hash_Algorithm) cryptographic hash function).\n\nThis way you'll have the advantage of memorizing only a single password (the master one),\nwithout the security problems of sharing passwords across sites.\n\nThe hash transformation makes it virtually impossible\nto guess the master password even if one managed to obtain the site-specific password in plaintext\n(which shouldn't happen anyway on any site that stores its user data securely).\nAnd since the hash, by definition,\nalways returns the same result for the same input,\nthere's no need to store the passwords anywhere;\nthey can simply be calculated on the fly every time the tool is used.\nAs a javascript bookmarklet, does all its work in the client side,\nso the master password is never sent through the network.\n\n### Origins \u0026 motivation\nThis idea isn't new, of course,\nand is heavily based on Nic Wolff's\n[Password generator](http://angel.net/~nic/passwd.sha1.html).\n\nSo why not just use that one?\nWell, there are a few drawbacks to Nic's code:\n\n1. The code is open (evidently, as it's Javascript)\n   but it isn't kept in a (publicly accessible) version control system.  \n   This means it can’t be easily forked,\n   receive patches (and keep the diffs, metadata \u0026 credits intact),\n   be translated, have issues publicly reported, etc.\n2. Different sites have different password requirements\n   (length, allow/require/forbid alphanum/symbols, etc.)  \n   HashMyPass takes care of this\n   by maintaining a list of exceptions\n   to the most commonly accepted format\n   (8-char passwords including letters, digits and symbols)\n   which was determined by exhaustively testing\n   the sign-up process at various sites\n   compiled from those available from\n   http://accountkiller.com and http://bugmenot.com\n   (back when the latter used to list the supported websites).\n3. The bookmarklet prompt doesn’t mask the master password.\n   Native Javascript prompts can’t do that,\n   so as a workaround HasMyPass uses an `\u003cinput type=password\u003e`\n   on a dynamically created floating dialog.\n4. The TLD list was too limited.\n   By using a more powerful regex, most domains can be covered  \n   (see http://www.iana.org/domains/root/db/\n   and PublicSuffix.org’s [public_suffix_list.dat](https://publicsuffix.org/list/public_suffix_list.dat)).\n   (Note: while the former only covers top level domains,\n   the latter aims to actually group domains under the same ownership, regardless of level,\n   which naturally requires much more work to keep up to date\n   -- see for instance [this diff as of 2016-08-18](https://www.diffchecker.com/tcbbvy7p).)\n5. And other minor annoyances\n   due to website-specific implementations\n   of login forms.\n\n### Related work\n\nOther implementations of the same concept (AFAIK) are:\n- [PasswordMaker](http://www.passwordmaker.org)\n  (the [Click](http://www.passwordmaker.org/Click) version).\n  Supports lots of hashing options, and has desktop version,\n  browser extensions, etc. Aside from the bookmarklet,\n  it's essentially a different class of system,\n  while HashMyPass aims to be a simple, no-frills solution\n  for web accounts only.\n- [SuperGenPass](http://supergenpass.com/).\n  Pretty similar, but uses the MD5 hashing algorithm rather than SHA.\n  Probably because it's also based on Nic Wolff's version,\n  which originally used MD5.\n  It also suffers from some of the same problems,\n  namely #1, #2 and #4 above.\n\n### License\nExcept Nic's implementation of the hashing algorithm,\nall the code is released under the MIT license.\nSee the LICENSE.txt file for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaldyrious%2Fhash-my-pass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwaldyrious%2Fhash-my-pass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaldyrious%2Fhash-my-pass/lists"}