FjompHash

This is a page which generates a unique password out of a master password and the address of a site. Using this tool, you only need to remember one password. For instance, to get your Facebook password, enter your master password, and enter facebook.com or copy-paste the address of Facebook's login page into Site URL, then press Return or click on Calculate. Even if someone finds out the calculated password, your other passwords remain safe.

Questions and answers

What if a site has login pages on multiple domains, such as ebay.co.uk and ebay.com?

You would get different passwords as a result, which may not be what you want. In this case, enter ebay manually instead of copy-pasting the login page URL. Note that ebay.com and login.ebay.com do give the same result, as only the main domain name is used, which in this case is ebay.com.

What if the passwords get leaked from a site, do I have to change my master password and therefore all other passwords as well?

Not necessarily. For instance, enter linkedin2 to get a completely new password for linkedin.com. You must remember to do this every time though.

What's wrong with Stanford PwdHash?

I have a few issues with their tool:

What is a "hash"?

Long story short, it is a mathematical way of computing a value out of another value, so that the new value is unique but cannot be used to find out the old value. It is just like putting fruit in the blender; it's easy to mash fruit, but impossible to put it back together. What it means in this case is that it is easy to compute a site password out of the master password, but nearly impossible to find out the master password from a site password.

Security

The algorithm creates a hash over 1728 iterations, where the result of each iteration is a SHA-256 hash of the previous hash plus the master password and the domain name. A high number of iterations has been chosen to make password cracking more difficult.

The code is entirely written in JavaScript, therefore your passwords stay in your browser. Several measures have been taken to prevent the passwords from being transmitted on the wire. (Technical details: There are JavaScript catchers in both action and onsubmit, and all inputs live in separate <form>s.) While I take precautions to keep this tool as secure as possible, and use it for my own passwords, I give no guarantee and take no responsibility for its correct operation.

You are welcome to inspect the code for correctness, just press View source in your browser. All my code is contained in the index.html file. You are also welcome to save a copy of this page for offline use, if you are afraid that the code might change later.

If you copy-paste the site password from this page, remember to clear the clipboard afterwards by copying something else. This is especially important on a shared computer!

Note that since this tool only displays passwords that satisfy the requirements of having at least one character of each class (upper, lower, digit and other), a fraction of all otherwise possible passwords are not used, which reduces the number of passwords that would have to be guessed in a brute-force attack. However, this effect diminishes with increased password length. In mathematical terms, the entropy in an 8-character password decreases with 1.6 bits, from 48 to 46.4 bits, for a 12-character password it decreases with 0.8 bits, from 72 to 71.2 bits, and for a 20-character password it decreases with 0.3 bits, from 120 to 119.7 bits.

By the way, if you need a secure way to generate a master password, I can recommend entima.net/random, or entima.net/diceware if you prefer a Diceware password.

Acknowledgements

This tool is obviously strongly inspired by Stanford PwdHash, and borrows a subroutine from that project. It also uses CryptoJS for SHA-256 and Base64, and Bootstrap for CSS styling.

Copyright

My name is Tom Weber and I wrote this in 2014, but I claim no copyright for my part of this work. However, the subroutine for extracting the main domain name from an URL is borrowed from Stanford PwdHash, and comes with a BSD-like license. CryptoJS and Bootstrap also come with their own copyrights.