https://github.com/hughperkins/openpw
Password hash generator, including console, bookmarklet, chrome extension
https://github.com/hughperkins/openpw
Last synced: 7 months ago
JSON representation
Password hash generator, including console, bookmarklet, chrome extension
- Host: GitHub
- URL: https://github.com/hughperkins/openpw
- Owner: hughperkins
- Created: 2013-03-04T08:32:17.000Z (over 12 years ago)
- Default Branch: master
- Last Pushed: 2025-02-01T13:23:04.000Z (9 months ago)
- Last Synced: 2025-02-09T11:23:20.270Z (8 months ago)
- Language: JavaScript
- Size: 14.6 KB
- Stars: 1
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
OpenPW
===================This is a password hash generator. You can generate strong unique passwords for multiple
website logins, using only a single master password (or more if you prefer). You dont
need to keep a password safe safe.Choose from the following ways of using OpenPW:
- a Chrome extension
- a bookmarklet (use with Firefox for example, or Internet Explorer)
- a standalone webpage (for passwords outside of a webpage)
- a console application (for times when you dont want to use a webbrowser; also really simple, so
you can see how it works)The cool thing about this system is:
- you dont need a password safe, which you would need to store somewhere, backup and so on
- each site's password is unique
- I can't personally see any obvious way to guess the master password, even if someone knows
a site's password, and the name of that site (but I cannot guarantee that, and you use
this script at your own risk).To use, Chrome extension
------------------------To install:
- download https://github.com/hughperkins/openpw/archive/master.zip
- unzip
- Go to chrome://extensions
- click 'developer mode'
- press 'load unpacked extension...'
- select the 'chrome' subfolder, and click 'ok'To use:
- go to a website where you want to login
- click on the blue 'key'
- type in your master password and press 'submit', or press the 'enter' key
-> the password will be filled in for you automaticallyWhat if I want to be sure I didn't mistype the master password?
- click 'confirm', and fill in a 'confirm' password
- if the passwords are different, you will see a message, and you can try againI want to change my master password. How can I put in the old and news passwords?
- click on the 'old password' field
- click the blue key
- click on 'selected field only', fill in your master password, and click 'submit'
- only the old password field will be filled in
- repeat for each of the 'new password' fieldsTo use, bookmarklet
-------------------In Firefox or Internet Explorer, using a bookmarklet is the easiest way to enter passwords.
- In your internet browser, create a bookmark in your bookmarks toolbar, and paste the contents of
inputpassword.js inside
- Go to a page where you want to enter a password
- click the bookmark
- enter your master password, and press 'enter'
- that's it!The password will be unique for each domain, and reasonably secure. Ways to hack this system
might include:
- shoulder-surfing your typing
- key-loggers
- javascript hacks in the target websiteI'm fairly sure that it's non-trivial to work backwards from a password to retrieve the
original master password, but I'm not an expert in this domain, and cannot guarantee that, and
you use this script at your own risk.Note that there are a couple of additional bookmarklets available here:
- showpass.js reveals all the password fields on the page, so you can check that the generated
passwords look reasonable
- createpassword.js has two password fields, so you have to enter the password twice. If they
are different, then it will show an error, and refuse to proceed.To use, standalone page
-----------------------Using the standalone page works where the password field is not embedded in a webpage.
- Go to https://hughperkins.github.io/openpw/standalone.html
- fill in the domain and password
- click 'Get Password'- if you click 'Add confirm', then you can type your password twice, to check you typed it
correctlyHow to generate a secure master password?
-----------------------------------------This cartoon is highly relevant: http://xkcd.com/936/
xkcd password generator here: http://preshing.com/20110811/xkcd-password-generator
Alternatively, you could pick a long sentence (10 words or more), and use the first letters
of each word. The advantage to this is it might be harder to shoulder-surf.Console version
---------------masterpass.py is a console version, using python. You can use this if you dont have access
to a web browser. It copies the password into the clipboard, without ever showing it in clear.The code is also easy to read and understand, so you can see how it works.
> python masterpass.py
Please enter domain: mydomain.com
Please enter master password for mydomain.com:
Password has been copied to your clipboardAcknowledgements
----------------The idea is from Nic Wolff, http://angel.net/~nic/passwd.current.html . I tweaked it a bit:
- made the passwords longer
- modified the bookmarklet to use a password field, so people can't shoulder-surf so easily
- added a version with a 'confirm' field
- added the 'showpass' bookmarklet
- created a console versionHow does it work?
-----------------Have a look at the python version. It's very simple:
- it takes the sha1 hash of masterpassword + ':' + domain
- then it throws away everything after the 16th character
- that's it!Is this compatible with passwordbookmarklet?
--------------------------------------------No: it doesn't have the '1a' at the end of the generated passwords. So you will need to change
your password on each website to switch from one system to the other.