A simple, stateless password manager for Chrome

get it
There are no images or videos added to the gallery.
Add to gallery



You need to become a Contributor to join the discussion - Find out how.
Stephan Boyer
Stephan BoyerMaker@stephantasia · Engineer, Airbnb
I made Hashpass because it's hard to memorize lots of passwords, and I don't like the idea of storing passwords in a proprietary database format + relying on a third-party tool to open it. Unusual for a password manager, Hashpass never writes anything to disk. Instead, it uses a simple formula to deterministically generate passwords, so there is nothing to sync and nothing to lose. You only need one secret key, so it's convenient—but it's also a single point of failure. More info on the tradeoffs: https://github.com/boyers/hashpass
Alexis Fogel
Alexis Fogel@alexisfogel · Co-founder at Dashlane
I like the concept, but I am afraid that because of all the security breaches, you would end up with too many keys overtime.
Robin Good
Robin Good@robingood · Publisher of T5 tools.robingood.com
Hi Stephan, thanks for creating HashPass. I think there is good value in having a tool like this. About 6 months ago I have discovered http://my1.pw/ which seems based on the same approach and if you could improve on its shortcomings I think you would have done something valuable for everyone out there. My only humble complaint is with its usability. For non-tech users finding a prompt that says: Key and Hash does not mean much and I myself upon first use was quite confused as to what was expected from me and ended up hitting the Enter key without filling the field as that's what I understood was expected from me there. Still now I am confused in using your only field in the pop-up as the Tip suggest me to fill in a password, but the field I have in front of me is labelled *Key*. Also the phrase: "Press ENTER to fill in the password field." feels ambiguous as it seems to suggest me to press Enter without entering anything in the field. If you could provide even a minimalist text that states what to do, or provides a tiny example of the steps to follow (even on the Chrome store page), I think you would get a hell of a lot more traction and adoption. P.S.: I have just now discovered the info at https://github.com/boyers/hashpass but while this is well illustrated and documented I still get confused by the interchangeable use of the terms "password" and "key" and get totally off-sided when I read *hash*. Unless this tool is targeted at nerds only, I'd humbly welcome a more plain term terminology and consistency in its use as well as really simple step-by-step example that can be viewed and understood in one screen. My two cents. Keep it up!
Stephan Boyer
Stephan BoyerMaker@stephantasia · Engineer, Airbnb
Great feedback, thanks! The term "password" is definitely confusing because it could refer to what you type in the popup, or the generated password. I tried to consistently use "key" to refer to what you enter, and "hash" to refer to the generated password. You bring up a great point that these are not terms that would make sense to laypeople. To some extent, I designed this with techies in mind. To use Hashpass correctly, you do need to understand the basic security model. If you pick a weak key, Hashpass won't protect you against dictionary attacks since it doesn't generate/store a salt. Similarly, if you pick a short key, you'll be vulnerable to a brute-force attack (the hashing function is slow, but it's not *that* slow). So it's crucial that you pick a strong password, or else an attacker can gain access to all of your accounts. I'm thinking about adding the option to use a salt (enabled by default) to make it safer for laypeople. If/when that happens, the copy will be de-jardon-ized for a nontechnical audience.