Gregory Trubetskoy

Notes to self.

Simple Solution to Password Reuse

| Comments

Here’s a KISS solution to all your password reuse problems. It requires remembering only *one* strong password, lets you have a virtually limitless number of passwords, and, most importantly, does NOT store anything anywhere or transfer anything over the network (100% browser-side Javascript).

Stupid Simple Password Generator

Step 1:

Think of a phrase you will always remember. Keep typing until the text on the right says “strong”. Punctuation, spaces, unusual words and mixed case while not required, are generally a good idea. The most important thing is that the script considers it strong.

Make sure this passphrase is impossible to guess by people who know you, e.g. don’t pick quotes from your favorite song or movie. Don’t ever write it down or save it on your computer in any way or form!

Step 2:

Think of a short keyword describing a password, e.g. “amazon”, “gmail”, etc. This word has to be easy to remember and there is no need for it to be unique or hard to guess.

Passphrase: Strength:
Verify: Correct:

That’s it! You can regenerate any of the passwords above at any time by coming back to this page, all you need to know is the passphrase (and the keywords).

Fine print: This is a proof-of-concept, use at your own risk!

How does it work?

First, credits where they are due: This page uses Brian Turek’s excellent jsSHA Javascript SHA lib and Dan Wheeler’s amazing zxcvbn password strength checking lib. All we are doing here is computing a SHA-512 of the passphrase + keyword, then selecting a substring of the result. (We also append a 0 and/or a ! to satisfy most password checker requirements for numbers and punctuation). If you don’t trust that generated passwords are strong, just paste them into the passphrase field, I assure you, no password here will ever be weak. (Or, rather, it is extremely unlikely). Some improvements could be made, but the point here is that there is no reason to keep encrypted files with your passwords along with software to open them around, all that’s needed is one strong password and a well established and easily available algorithm.