jonasnylund.se

The password generator

How to use it

The password generator takes two inputs and combines them into one output.
The first input, the master passphrase, should be a long, easy to remember string. This is your master key and can be the same for all your accounts. If you would ever need to change your password, you should change this word.
The second input is a salt. This should be different for every site you log into. What you need is a secret way to come up with a different salt for each of your accounts, an algorithm to generate a salt from the site you visit. This algorithm is your second secret.
Now, combining these two secrets, the password generator will add the two strings together and generate a long, seemingly random password to use as a login credential for any website. What this means is that by remembering just two different things, your master password and your salting algorithm, you can have different, strong passwords on all your accounts. Should one of these accounts be compromized, the attacker will not automatically gain access to all other accounts.

Also, the use of this password generator does not excuse the use of weak passwords, such as 'password', or '1234'.

Caveats

Password security is hard, and it is not helped by stupid webdesign. Many websites have various forms of restrictions on what passwords are allowed. Many require a mix of upper and lowercase characters, numbers, special characters and lengths. Some (that really should know better) have an upper length limit. Some don't allow certain characters. All of this is bad, as it makes it so much harder to remember your passwords and encourages weak patterns and reuse. It is difficult to design the password generator around this, and it is inevitable that there will be missmatches on some sites. I have no good solution for this, other than getting a proper password manager.

To provide a little help with some if the issues, the password generator has been updated with two options:
URL compatible special characters
Additional special characters

What it's for

The password generator takes two input strings and combines them into a string of seemingly random characters. It works a bit like a one-time pad cipher, combining a common passphrase with a salt to generate a non plaintext password. Given a pefectly random and secret salt, the passphrase is probably impossible to decrypt given only the generated password.

The purpose of this password generator is to easily facilitate the use of different, strong passwords on every website where one might have an account. If one of these websites is compromized, the attacker cannot use stolen login credentials to gain access to other accounts elsewear, xkcd 792 style. The algorithm that the generator uses is simple enougth to be performed on a piece of paper, and is descibed further down the page. The online tool is just to make it even more convenient.

Given a perfectly random salt of ample length, the passphrase will be impossible to crack. However, human beings are not capable of generating perfectly random data, which means that in all practical cases the passphrase will be obtainable. Also, the point of the password generator is to make it easy to use different passwords on different sites. A perfectly random salt would oppose this, as the salt could be used as a password directly. The upshot of this is, that strings generated using this generator are not uncrackable and should not be treated as such. This is not a security hash generator. The author of this site is not a security expert. Use this tool by your own judgement.

How it works

The algorithm used to combine the passphrase and salt is simple modular addition. First, each letter in the two strings is converted into an integer number using base64 decoding. For each pair of letters, the values are added up and the resulting number is taken modulo 64, to give a new number in the range of 0-63. This value is converted back into a character using base64 encoding. Repeat this process for each pair of letters in the two strings and a string of scrambled characters will emerge.

For those with experience of base64, some issues might be immediately obvious. First, if any of the strings contains characters not used in base64 encoding, they are given the value of -1, or analogous replaced with the character '/'. This is probably a non-issue for native english speakers, however european users might want to replace some characters with similarly looking ascii characters. This has to be done manually. For asian users this tool might be entirely useless altogther.
If one of the input strings is longer than the other, as is probably usually the case, the shorter string is repeated character by character until its length is equal to the longer string. This is not a secure way of generating a key for one-time pad ciphers, but as stated before this is not intended as a security hash algorithm.

The code running on this page is entirely javascript based. All calculations are done localy in your browser.

Don't want to trust the internet?

Is it really a good idea to enter your password into a textbox on the internet? That is a healty consideration, and in general the answer is no. If you have not gain trust in this site, but like the idea, then there is a python script available for download that you can use locally.

Another consideration is long term support. You need your passwords to be accessible for a long time. The password generator has been available online since 2016. The offline python script is yours once downloaded, and the algorithm is simple enough to be remembered and reimplemented. I (the author) have been using it for all my accounts for a long time, and will continue to host it for my own access.

Base64 table

It is entirely possible to compute the password generator algorithm by hand. Go character by character in your master password and salt, convert the characters to integer values using the conversion table and add them up. Use the table to convert the sum back to a character, wrapping around the end as required. With a little practice, you can do this in your head.