Hashpass: A Simple “Stateless” Password Manager for Chrome
Hashpass is a Chrome extension designed to make passwords less painful. It generates a unique password for every website you use, and you only have to memorize a single secret key.
Hashpass is deterministic, meaning that it will always generate the same password for any given site and secret key. It uses a well-known formula to generate the passwords, so you could even compute them yourself.
A key feature of Hashpass is that it’s stateless. Hashpass never writes to the file system or makes network requests. There is no password database.
Installation
Install Hashpass from the Chrome App Store (link). You will then see the Hashpass button next to your address bar.
A quick tour
Click the Hashpass button and this will pop up:
Hashpass generates a password based on your key and the current domain. Usually you will want to select a password field first. Then Hashpass doesn’t show the generated password, giving you the option to fill in the password field instead:
How passwords are generated
Suppose your secret key is
bananas, and you are signing up for Facebook. Hashpass combines the current domain name and your secret key as follows: www.facebook.com/bananas. It then computes the SHA-256 hash of that string. Then it hashes it again and again, 2^16 times in total. Finally, it outputs the first 96 bits of the result, encoded as 16 characters in Base64. In this example, the final output is sWwtmA9uA6X9SyXD. We can verify this result using Python:import hashlib, base64 bits = 'www.facebook.com/bananas' for i in range(2 ** 16): bits = hashlib.sha256(bits).digest() print(base64.b64encode(bits)[:16]) # prints sWwtmA9uA6X9SyXD
Gloss