Unique Password Builder

Previously used URLs:

What is it ?

Unique Password Builder’s goal is to generate a strong and different password for each website you want to login while still typing the same password (which I call the master password) everywhere.

You can use Unique Password Builder via one of these options :

Disclaimer / security concerns

Generating passwords is a sensitive piece of code, so, I strongly suggest you get the source code (eventually inspect it) and host the code (including that page) yourself on a SSL/TLS server.

If you’re not convinced, tell yourself what if I change the password generation code, if there’s a critical bug or if that page is deleted some day...

You could also verify the security of generated password using the site howsecureismypassword.net (don't try with one of the password you use, only with some you just generated with dummy values...)

Also, UniquePasswordBuilder has been « inspected » from several people on the internet (from whom I’m not related), like Aaron Toponce on icanhaz.pw and Wladimir Palant on palant.de/2016/04/20/security-considerations-for-password-generators (note that issues from that post, like scrypt small default cost factor, have been fixed since).

Bookmarklet installation

  1. Configure the options section above (or leave to the default values).
  2. Create a bookmark and paste the copied code inside the address field of the bookmark,

It’s done !

Bookmarklet usage

  1. Go to any login form,
  2. Click on the bookmarklet,
  3. A form asking your "master password" will appear,
  4. Type your master password in that password field and press enter,
  5. Each password field on the page should then be followed by a "fill password" link,
  6. Clicking on that link will generate a password, unique for that URL and your master password and will fill it into the password field,
  7. Optionally, before pressing enter, you can open the developer console to see the new generated password and information about the URL used.

It’s done, you can submit the form to login.

Which algorithm to choose?

To better protect your master password, we recommand you to choose argon2 algorithm which is newer and more secure.

Note that both scrypt (still there for compatibility) and argon2 generate equally secured passwords.

Under the hood

We use 2 password-based key derivation functions (depending of your options) to generate the password for a site: scrypt (by Colin Percival) and argon2 (by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich).

To make the password unique for each site, we use 2 information: the protocol and the host. The Protocol is "http://" or "https://" ; The host is the complete domain (including subdomain).

Example for password 'MyMasterPassword4UPB' and URL 'https://login.yourdomain.com/login'

'(QZlpar;YomE%qMz' = scrypt('MyMasterPassword4UPB', 'https://login.yourdomain.com', 8192, 8, 1, 64)

Beware that, if your master password, the protocol (http/https) or the domain/subdomain changes, the generated password will be different and you won’t be able to login !
If that happens, you can always generate the old password using the form above with previous information.

The user salt is a parameter added to the URL allowing you to change generated password without changing your master password.

The Firefox or Chrome addon, that page and the bookmarklet shares the code about password generation. You can use one or the other and still get the same password when using the same parameters.

The code includes scrypt-async-js (by Dmitry Chestnykh), argon2-browser (by Antelle) and icon set ikons (by Piotr Adam Kwiatkowski). Many thanks !

Thanks to Philippe Miossec for its contributions and argon2 support.

You may check the source code on github (This page was generated from commit: 4d8721017ab97ca879842597b3d56e9f8de4990e ) or find more about me on paulgreg.me.

Make it stronger...

You could specify a user salt to make it more resilient against rainbow table attacks (the longer is the better.).

For scrypt

We use 8192 difficulty by default.

You can adjust it to the value you want but it should be a power of two. The higher the number, the longer it is to brute-force but also will take more time on your platform to generate (that could be an issue on mobile devices)...

For argon2

We use 10 difficulty by default. You could choose a greater value.