Unique Password Builder’s goal is to generate a strong and different password for each website you want to login while still typing the same password (which I call the master password) everywhere.
You can use Unique Password Builder via :
Generating passwords is a sensitive piece of code, so, I strongly suggest you get the source code (eventually inspect it) and host the code (including that page) yourself on a SSL/TLS server.
If you’re not convinced, tell yourself what if I change the password generation code, if there’s a critical bug or if that page is deleted some day...
It’s done !
It’s done, you can submit the form to login.
We use scrypt, a password-based key derivation function created by Colin Percival, to generate the password for a site.
Protocol is "http://" or "https://" ; host is the complete domain (including subdomain).
'-4qYW0P?;j.wBuFV' = scrypt('ThisIsAMasterPassword4UniquePasswordBuilder', 'https://login.yourdomain.com/login', 8192, 8, 1, 64)
Beware that, if your master password, the protocol (http/https) or the domain/subdomain changes, the generated password will be different and you won’t be able to login !
If that happens, you can always generate the old password using the form above with previous information.
the "user salt" is a parameter added to the URL allowing you to change generated password without changing your master password.
The Firefox or Chrome addon, that page and the bookmarklet shares code about password generation. You can use one or the other and still get the same password with the same parameters.
The code includes scrypt-async-js, a library from Dmitry Chestnykh and icons are from Piotr Adam Kwiatkowski. Many thanks !
Thanks to Philippe Miossec for its contributions.
You may check the source code on github, launch unit tests or find more about me on paulgreg.me.
We use 8192 difficulty for scrypt by default (see "difficulty" in form or "window.uniquePasswordBuilderDifficulty" in the bookmarklet above).
You can adjust it to the value you want but it should be a power of two. The higher the number, the longer it is to brute-force but also will take more time on your platform to generate (that could be an issue on mobile devices)...
The user salt could be used to make it more resilient against rainbow table attacks (the longer is the better.).