Your master password
Site name
Generated password

What is this?

11 Apr 2014 • Since the Heartbleed bug has potentially exposed HTTPS request content at many Web sites, it's a good idea to change your passwords. I'm taking this opportunity to update this password generator by making two changes: Since it is never sent anywhere, and this site doesn't use HTTPS, your master password has not been exposed; however, since the basic algorithm this page uses has not changed, passwords generated with the same master password will start with the same 8 characters, so it's better if you pick a new one.

The previous version of this page is available here.

I hate passwords. I mean, I don't mind having really important ones be made-up and memorized but what about all those e-commerce and community sites that want me to create accounts? I end up using the same password at all of them and then I feel stupid knowing that one SQL Server exploit or disgruntled admin could cost me my whole identity.

So, this is a little Javascript program that will generate a SHA-1 hash from each site's name. The idea is that you choose one master password to secure all your others, and then generate passwords for each site, server, router, &c. by putting a completely obvious name for that resource in the "Site name" field.

Then just hit return and copy your new password so you can paste it into whatever site you're registering at. It'll be different for every site, and undiscoverable by anyone who doesn't know your master password — but you can always retrieve it by simply using this form again.

(Note that all this is done by your browser running the program that's in the source of this page; nothing is passed back to my server. You can make your own local copy of this page, use it off-line, &c.)

Here's a bookmarklet version, which you can drag to your bookmark list to keep handy. (This now hashes the domain instead of the hostname, since so many sites use different servers for registration and login.)

Here's an older version of this page that generated passwords with only ten characters that ended in "1a" not "@1a".