A bookmarklet to create a salted hash1 of your password that is unique for every website you visit, thus increasing your security while still allowing you to keep your passwords few and simple.
Password hasher version 1.7, updated Feb 26 2014 (click to test, drag it to your bookmarks toolbar for keeps. It's free!)
Because you're lazy like most other people and use the same password across several websites.
Worst case scenario? One of the websites you're using is compromised, which gives the cracker access to all the websites you're on. Like handing over the keys to your house, your office, your car and your bank account. With a smile on your face. And the worst part is you might be opening other peoples' doors as well in the process. Good security is good for everyone.
Using this bookmarklet, you can still keep the same poor habit of recycling your password, but still have a unique password on each website you visit. And a tough one too. Even if you don't fit the profile described, it'll still (most likely) improve your password.
The script works by taking your password, combining it with a salt string and then creating a SHA-1 hash of the whole deal.
The default salt is the hostname, but you can, and should2 change it by editing the saltstring3 located at the very beginning of the bookmarklet4. The hostname of the website you're on is appended to your own salt, to keep password unique across websites. (Only the tld and the first subdomain is appended to the salt, so that websites like google.com (which has services on several hosts like mail.google.com etc.) will still work as expected.)
Still, normal security measures should be applied. Don't give out your password to anyone, don't let anyone look over your shoulder when entering a password, don't write down your password where they can be easily found, etc.
Perhaps you should tell them not to restrict password length.
But seriously, even if you cut the password short, it will still be a string of jibberish and more secure than scruffythedog, cheesypeas or bigmember69.
Since version 1.5 password hasher allows you to limit the length of the generated hash.
No.
The bookmarklet is stored and executed locally in your browser. No information is sent over the internet by it.
You don't need to take my word for it, the source code is provided below for you to examine.
Start by testing that it works in your browser by clicking on the Password hasher-link at the top. If it does, drag the bookmarklet into your bookmarks toolbar. Then you can start using better passwords simply by clicking on the bookmark when logging in234. (You'll of course have to change your password first, by using the bookmarklet on the change password page of each website.)
By default, the script will enter the hashed password into a password input on the current webpage. If the script detects multiple password inputs, the script fills all password fields, while still attempting not to fill password fields that should contain your previous password. If the current page contains only one single password field, the form is automatically submitted5 upon password generation.
Also, if either multiple or no password inputs are found, you are prompted with the generated password. Unfortunately, not all browsers will allow you to copy6 the generated hash from the message box. At least Firefox (select and copy), Safari (Mac) (select and copy), Opera (select and copy) and Chrome (copy) do, though. Currently there are no plans to change the way the hash is displayed to the user, but you can do that yourself if you wish, the source is provided below. The generated password is presented in a hovering layer dynamically created.
On some browsers (at least Safari and IE) it is also possible to assign a keyboard shortcut to the bookmark to make usage even simpler, and for those browsers that don't support it natively, there might be plugins: Firefox plugin, Chrome plugin.
Not many.
It might be slightly inconvenient if you need your current password7 when changing passwords, unless you can copy the current password from the alert dialog.
Copying your new password to your mobile device might prove a bit cumbersome. Changing your secret "on the fly"8 requires a few tricks also.
While possible, using the bookmarklet on a public machine will most likely be inconvenient.
Long story short, you'll have a miserable time logging in if you don't have access to the bookmarklet. If you can carry a portable browser with you (e.g. on a thumb drive) you'll be home free on any computer.
The bookmarklet is provided as is, free of charge, for personal, commercial or any other use. If you create derivative work or redistribute, you must also adhere to the license of the included SHA-1 algorithm implementation. (See the source for more info.)
I, the author, take no responsibility for loss of passwords, time, money, hair or car keys. That responsibility lies on you, the end user, entirely.
In short, it's covered by the WTFPL
The bookmarklet has been tested and found to be working in Firefox 3.5 (Win/Mac), Safari 4 (Mac), Opera 9.6/10.10 (Win) and Chrome (Win).
Safari 4 (Win) works, but doesn't let me edit the secret, but now there's a form at the top to help you with that.
IE (Win) didn't wan't to play nice, which doesn't mean it won't work, just that I don't need it to do so and didn't go through the trouble to fix it. (Not yet, anyway. It might happen.) I've later learned the reason is because the bookmark address is too long for some IE versions, and disabled javascript features in other versions of IE, so don't hold your breath. Switch browsers instead.
Click the Password hasher-link at the top to find out if it works. (You should be seeing an input dialog after the click and a generated password after OK.)
My dog Scruffy likes biscuits, and so do I, but not the same kind of biscuits, mind you. I prefer chocolate chip while he prefers chipmunk flavoured.
var salt = 'my secret salt';
, but only the text between the hyphens. Or you can use the provided form.If you change the code, you need to replace % with %25, and minify it, before it can be used as a bookmarklet.
location.hostname
instead of location.host
to avoid including port numbers in the salt. NB! This may break passwords in usewindow.prompt
, which showed your password in plain text to anyone standing behind you, with a custom password input dialogwindow.alert
, used to display the password hash in some cases, with a custom dialog, to enable copyable content in any client