Unique Password Builder Bookmarklet

Try it yourself :


What is it ?

Unique Password Builder’s goal is to generate a strong and different password for each website you want to login while still typing the same password (which I call the master password) everywhere.

You can use Unique Password Builder via :

Disclaimer / security concerns

Generating passwords is a sensitive piece of code, so, I strongly suggest you get the source code (eventually inspect it) and host the code (including that page) yourself on a SSL/TLS server.

If you’re not convinced, tell yourself what if I change the password generation code, if there’s a critical bug or if that page is deleted some day...

Bookmarklet installation

  1. Copy (in the clipboard) the following piece of code :
  2. Bookmark that page and paste the copied code inside the adress field of the bookmark,

It’s done !

Bookmarklet usage

  1. Go to any login form,
  2. Click on the bookmarklet,
  3. A form asking your "master password" will appear,
  4. Type your master password in that password field and press enter,
  5. Each password field on the page should then be followed by a "generate password" link,
  6. Clicking on that link will generate a password, unique for that URL and master password, into the field,
  7. Optionally, before pressing enter, you can open the developer console to see the new generated password and information about the URL used.

It’s done, you can submit the form to login.

Under the hood

We use scrypt, a password-based key derivation function created by Colin Percival, to generate the password for a site.

Protocol is "http://" or "https://" ; host is the complete domain (including subdomain).

Exemple for password 'ThisIsAMasterPassword4UniquePasswordBuilder' and URL 'https://login.yourdomain.com/login'

'-4qYW0P?;j.wBuFV' = scrypt('ThisIsAMasterPassword4UniquePasswordBuilder', 'https://login.yourdomain.com/login', 8192, 8, 1, 64)

Beware that, if your master password, the protocol (http/https) or the domain/subdomain changes, the generated password will be different and you won’t be able to login !
If that happens, you can always generate the old password using the form above with previous information.

the "user salt" is a parameter added to the URL allowing you to change generated password without changing your master password.

The Firefox or Chrome addon, that page and the bookmarklet shares code about password generation. You can use one or the other and still get the same password with the same parameters.

The code includes scrypt-async-js, a library from Dmitry Chestnykh and icons are from Piotr Adam Kwiatkowski. Many thanks !

Thanks to Philippe Miossec for its contributions.

You may check the source code on github, launch unit tests or find more about me on paulgreg.me.

Make it stronger...

We use 8192 difficulty for scrypt by default (see "difficulty" in form or "window.uniquePasswordBuilderDifficulty" in the bookmarklet above).

You can adjust it to the value you want but it should be a power of two. The higher the number, the longer it is to brute-force but also will take more time on your platform to generate (that could be an issue on mobile devices)...

The user salt could be used to make it more resilient against rainbow table attacks (the longer is the better.).