Password generator bookmarklet

Here's a newer version, which hashes only the domain name, not the whole hostname - e.g. it uses only the "site.com" part of "www.site.com" or "login.site.com". You'll need to update all your passwords!

I hate passwords. I mean, I don't mind making up and memorizing the really important ones but what about all those e-commerce and community sites that want me to create accounts? I used to end up using the same password at all of them and then I felt stupid knowing that one SQL Server exploit or disgruntled admin could cost me my whole identity.

So, I wrote a bookmarklet to make up passwords for me. It asks for my master password, which is all I have to remember, and uses it to make a unique password for each site. It even types the password into any password fields on the current page for me, whether I'm registering for a new account or logging in on a subsequent visit.

Here's the bookmarklet: Generate password. You can drag it to your browser's bookmark list or button bar to keep it handy. Or just click it right now to test it on the form below.

How does it work? It gets the hostname from the page's URL and mixes it together with your personal master password using a little cryptographic magic we call SHA-1. It will always get the same result if given that hostname and master password, but will never get that result if either changes. (Well, once in a few billion times it might.)

Oh, and the SHA-1 Javascript code is © Paul Johnston 1999-2002.

Here's a sample form to test the bookmarklet on:

Here's a plain text field that won't be affected:
Here's a password field:
Here's a text field named "password":

Here's a version of the bookmarklet that has a hard-coded MASTER_PASSWORD (which you'd replace with your own), so it fills in the passwords on the current page as soon as it's clicked or selected. Of course, anyone with access to your workstation can use it, and your master password will be stored in the clear in your bookmarks list. Still, mighty handy.

And here's an HTML/Javascript form that will let you generate passwords for things besides the current site.

Chris Zarate has an improved version that uses only the domain name, not the whole hostname, which is convenient since some sites use one hostname for registration and another for login.