Computed Password

crack time: ~ @ 1e10/second

This application generates strong passwords by combining a high-entropy secret passphrase, an optional secret salt from a hardware token like the Yubikey, and other context sensitive attributes which are assumed to be public knowlege such as a username or website URL.

These inputs are then combined and processed through a cryptographic key derivation function which will always generate the same output for any given inputs. It is considered by experts to be impossible to reverse the process and discover your passphrase from anything this tool generates. These properties are what makes this tool so useful. You only need to remember a single strong passphrase in order to generate all of your passwords at anytime, from anywhere.

The use of an optional hardware token or salt adds a weak form of second factor security (something you have) to the passphrase (something you know).

The most important thing to remember to help ensure you use this tool securely is that your strong passphrase, and the optional token password, must be kept absolutely private and never used for any other purpose.

In computer science, a deterministic algorithm is an algorithm which, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states. Deterministic algorithms are by far the most studied and familiar kind of algorithm, as well as one of the most practical, since they can be run on real machines efficiently.

Formally, a deterministic algorithm computes a mathematical function; a function has a unique value for any input in its domain, and the algorithm is a process that produces this particular value as output.

In this context, I believe this tool to be strong due to the use of well tested and understood one-way cryptographic primitives such as HMAC-SHA-512, SHA-512, and scrypt. The real source of strength though is always in the quality of the passphrase used to derive everything else. This application uses the zxcvbn entropy estimation tool to ensure that only high entropy passphrases can be used as the seed for everything that is generated. Along with a strong passphrase this application is heavily reliant on the strength of the output of the various hashing algorithms to being reversed. In other words it is considered infeasible to discover the original passphrase from any of the outputs generated. The use of scrypt in particular, which is a 'memory-hard' function, dramatically reduces an attackers ability to re-discover the original passphrase even with custom hardware based attacks. The generated passwords all make use of only a portion of the extremely large derived key material available to them and they don't share any of that material. You can learn more by reviewing the algorithm pseudocode in a later FAQ entry, or by examining the full source code.

I created this tool for my own use. I use itno longer use it though, primarily due to usability issues which I solve much more neatly with a password manager. You can trust it to do what it says. It has been lightly reviewed by Dmitry Chestnykh who is a respected author of many cryptographic tools (and whose 'cryptopass' Chrome extension was an inspiration for this tool). It will generate strong passwords locally in your browser and will never communicate anything that you enter, or the passwords it generates, out to the Internet. You are free to browse the source code, and you can easily run a local copy by just opening the index.html file in your browser. In this case you can run this site completely offline, with your network disconnected.

I am not a cryptographer but I believe the implementation is strong based on the fact that I am using published cryptographic primatives consistent with their recommended usage based on my own research and reaching out to experts. There is no cryptographic invention claimed. Read the source code, use at your own risk, and decide for yourself if its safe (and usable) enough for you.

Here is a pseudocode version of the algorithm. Leading and trailing whitespace is stripped from all input fields before processing. Some fields are normalized to a downcased version. You can view the full source code here.

masterKey         = hmacSha512(sha512(passphrase), sha512(downcase(usernameOrAppname)))
salt              = sha512(len(usernameOrAppname) + '.' + downcase(usernameOrAppname) + '@' + len(hostname) + '.' + downcase(hostname) + ':' + len(version) + '.' + version + ':' + len(tokenSalt) + '.' + tokenSalt)
derivedKey        = scrypt(masterKey, salt, 16384, 8, 1, 32 Bytes Output)
symbol            = lookupSymbol(derivedKey[31] % 10)
number            = lookupNumber(derivedKey[30] % 10)
password          = first18Chars(base64encode(derivedKey)) + symbol + number