One password to rule them all.

A bookmarklet to create a salted hash1 of your password that is unique for every website you visit, thus increasing your security while still allowing you to keep your passwords few and simple.

Password hasher version 1.7, updated Feb 26 2014 (click to test, drag it to your bookmarks toolbar for keeps. It's free!)

Get a version with your own custom salt using this form:

Why do I need it?

Because you're lazy like most other people and use the same password across several websites.

Worst case scenario? One of the websites you're using is compromised, which gives the cracker access to all the websites you're on. Like handing over the keys to your house, your office, your car and your bank account. With a smile on your face. And the worst part is you might be opening other peoples' doors as well in the process. Good security is good for everyone.

Using this bookmarklet, you can still keep the same poor habit of recycling your password, but still have a unique password on each website you visit. And a tough one too. Even if you don't fit the profile described, it'll still (most likely) improve your password.

How does it work?

The script works by taking your password, combining it with a salt string and then creating a SHA-1 hash of the whole deal.

The default salt is the hostname, but you can, and should2 change it by editing the saltstring3 located at the very beginning of the bookmarklet4. The hostname of the website you're on is appended to your own salt, to keep password unique across websites. (Only the tld and the first subdomain is appended to the salt, so that websites like (which has services on several hosts like etc.) will still work as expected.)

Still, normal security measures should be applied. Don't give out your password to anyone, don't let anyone look over your shoulder when entering a password, don't write down your password where they can be easily found, etc.

The websites I use don't allow long enough passwords

Perhaps you should tell them not to restrict password length.

But seriously, even if you cut the password short, it will still be a string of jibberish and more secure than scruffythedog, cheesypeas or bigmember69.

Since version 1.5 password hasher allows you to limit the length of the generated hash.

Will this reveal all my passwords to you?


The bookmarklet is stored and executed locally in your browser. No information is sent over the internet by it.

You don't need to take my word for it, the source code is provided below for you to examine.

Ok, you convinced me. How do I use it?

Start by testing that it works in your browser by clicking on the Password hasher-link at the top. If it does, drag the bookmarklet into your bookmarks toolbar. Then you can start using better passwords simply by clicking on the bookmark when logging in234. (You'll of course have to change your password first, by using the bookmarklet on the change password page of each website.)

By default, the script will enter the hashed password into a password input on the current webpage. If the script detects multiple password inputs, the script fills all password fields, while still attempting not to fill password fields that should contain your previous password. If the current page contains only one single password field, the form is automatically submitted5 upon password generation.

Also, if either multiple or no password inputs are found, you are prompted with the generated password. Unfortunately, not all browsers will allow you to copy6 the generated hash from the message box. At least Firefox (select and copy), Safari (Mac) (select and copy), Opera (select and copy) and Chrome (copy) do, though. Currently there are no plans to change the way the hash is displayed to the user, but you can do that yourself if you wish, the source is provided below. The generated password is presented in a hovering layer dynamically created.

On some browsers (at least Safari and IE) it is also possible to assign a keyboard shortcut to the bookmark to make usage even simpler, and for those browsers that don't support it natively, there might be plugins: Firefox plugin, Chrome plugin.

Are there any downsides?

Not many.

It might be slightly inconvenient if you need your current password7 when changing passwords, unless you can copy the current password from the alert dialog.

Copying your new password to your mobile device might prove a bit cumbersome. Changing your secret "on the fly"8 requires a few tricks also.

While possible, using the bookmarklet on a public machine will most likely be inconvenient.

Long story short, you'll have a miserable time logging in if you don't have access to the bookmarklet. If you can carry a portable browser with you (e.g. on a thumb drive) you'll be home free on any computer.


The bookmarklet is provided as is, free of charge, for personal, commercial or any other use. If you create derivative work or redistribute, you must also adhere to the license of the included SHA-1 algorithm implementation. (See the source for more info.)

I, the author, take no responsibility for loss of passwords, time, money, hair or car keys. That responsibility lies on you, the end user, entirely.

In short, it's covered by the WTFPL

Will it work in my browser?

The bookmarklet has been tested and found to be working in Firefox 3.5 (Win/Mac), Safari 4 (Mac), Opera 9.6/10.10 (Win) and Chrome (Win).

Safari 4 (Win) works, but doesn't let me edit the secret, but now there's a form at the top to help you with that.

IE (Win) didn't wan't to play nice, which doesn't mean it won't work, just that I don't need it to do so and didn't go through the trouble to fix it. (Not yet, anyway. It might happen.) I've later learned the reason is because the bookmark address is too long for some IE versions, and disabled javascript features in other versions of IE, so don't hold your breath. Switch browsers instead.

Click the Password hasher-link at the top to find out if it works. (You should be seeing an input dialog after the click and a generated password after OK.)


1 What is a hash?
In simple terms, a hash is a one way message digest, i.e. it is not possible to calculate the input from the output. Find out more by reading the Wikipedia article. This bookmarklet uses the SHA-1 algorithm.
2 Why do I need to change the salt?
If the salt is known (such as the default salt), the hash algorithm is known, and your base password is compromised, a hashed password is none safer than the unhashed version. If the salt is unknown, your password is still safe. But none the less, keep your password secret always applies no matter what kind of cryptography you paste on top of it! Still, the hashed version will protect you against most basic attacks, such as dictionary attacks, even if you don't customize the salt.
3 What kind of salt is a good one then?
Well, any kind, but the more random, the better. Which doesn't mean it should change every time. In order to be able to recreate the password, the salt needs to be known. A salt can be pretty much anything, e.g. My dog Scruffy likes biscuits, and so do I, but not the same kind of biscuits, mind you. I prefer chocolate chip while he prefers chipmunk flavoured.
4 Ok, how do I change the salt?
Edit the bookmark: change the part which says:
var salt = 'my secret salt';
, but only the text between the hyphens. Or you can use the provided form.
5 Why the automatic submit?
Just a convenience. I'm too lazy to use both the bookmarklet and manually submit and would cease using the bookmarklet. That would mean going back to letting my browser remember my passwords. This way, I can stay secure without (much) extra trouble. I assume others are equally lazy and this feature will be welcomed with open arms.
6 How do I copy text from an alert box?
Some browsers, e.g. Firefox, will allow you to select text in the alert box and copy it as you would any text. Some others, like Chrome, will copy all of the text in the alert box when you press ctrl+c. You can then paste it into any text editing software. Then there are those that won't allow it. Try and you shall see.
7 How can I find out my generated password for website X?
Log in to website X as you would normally. When logged in, click the bookmarklet and enter you password. When there are (presumably) no password fields present, the password will be shown to you in a dialog, from which you can copy6 the password.
8 What about when I want to change my secret when I'm already using the bookmarklet?
Not a problem, it just requires some extra work, but since this is not something you'll be doing very often, it should be fine.
To change your secret on the fly, you'll need to make a new copy of the bookmarklet. The existing copy will hold your old secret, the new copy will hold your new secret. This way, you can still log in to all the websites you need to, to change your password, but will still be able to generate a new password with the second bookmarklet. When all your passwords have been changed, you can delete the bookmarklet with the old secret.

Source code

If you change the code, you need to replace % with %25, and minify it, before it can be used as a bookmarklet.


Added checkbox for manually preventing autosubmit
Added z-index resolver to ensure the dialog is above page content
Use location.hostname instead of to avoid including port numbers in the salt. NB! This may break passwords in use
Minor code cleanup
Added "no SLD awareness" for certain TLD's
Various micro-optimizations
Added option to restrict hash length
Minor tweak. A password input is now also focused on pages with multiple password inputs. (The form is not submitted.) Universally working hash + hit enter to login still not achieved though.
Replaced the window.prompt, which showed your password in plain text to anyone standing behind you, with a custom password input dialog
Replaced the window.alert, used to display the password hash in some cases, with a custom dialog, to enable copyable content in any client
Tweaks and polish
Initial release