Unique Password Builder’s goal is to generate a strong and different password for each website you want to login while still typing the same password (which I call the master password) everywhere.
You can use Unique Password Builder via one of these options :
Generating passwords is a sensitive piece of code, so, I strongly suggest you get the source code (eventually inspect it) and host the code (including that page) yourself on a SSL/TLS server.
If you’re not convinced, tell yourself what if I change the password generation code, if there’s a critical bug or if that page is deleted some day...
You could also verify the security of generated password using the site howsecureismypassword.net (don't try with one of the password you use, only with some you just generated with dummy values...)
Also, UniquePasswordBuilder has been « inspected » from several people on the internet (from whom I’m not related), like Aaron Toponce on icanhaz.pw and Wladimir Palant on palant.de/2016/04/20/security-considerations-for-password-generators (note that issues from that post, like scrypt small default cost factor, have been fixed since).
It’s done !
It’s done, you can submit the form to login.
To better protect your master password, we recommand you to choose argon2 algorithm which is newer and more secure.
Note that both scrypt (still there for compatibility) and argon2 generate equally secured passwords.
We use 2 password-based key derivation functions (depending of your options) to generate the password for a site: scrypt (by Colin Percival) and argon2 (by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich).
To make the password unique for each site, we use 2 information: the protocol and the host. The Protocol is "http://" or "https://" ; The host is the complete domain (including subdomain).
'(QZlpar;YomE%qMz' = scrypt('MyMasterPassword4UPB', 'https://login.yourdomain.com', 8192, 8, 1, 64)
Beware that, if your master password, the protocol (http/https) or the domain/subdomain changes, the generated password will be different and you won’t be able to login !
If that happens, you can always generate the old password using the form above with previous information.
The user salt is a parameter added to the URL allowing you to change generated password without changing your master password.
The Firefox or Chrome addon, that page and the bookmarklet shares the code about password generation. You can use one or the other and still get the same password when using the same parameters.
The code includes scrypt-async-js (by Dmitry Chestnykh), argon2-browser (by Antelle) and icon set ikons (by Piotr Adam Kwiatkowski). Many thanks !
Thanks to Philippe Miossec for its contributions and argon2 support.
You may check the source code on github (This page was generated from commit: f404be5d78dd018b2dae03d05db2c24271c9eea4 ) or find more about me on paulgreg.me.
You could specify a user salt to make it more resilient against rainbow table attacks (the longer is the better.).
We use 8192 difficulty by default.
You can adjust it to the value you want but it should be a power of two. The higher the number, the longer it is to brute-force but also will take more time on your platform to generate (that could be an issue on mobile devices)...
We use 10 difficulty by default. You could choose a greater value.