Stateless password generator

This page generates a password from a master password and a website domain name, and copies it to the clipboard. Because this is a deterministic, stateless process, this system can be used as a way to avoid password managers entirely. You only have to remember a master password, and deduce all passwords from it using this page. The conversion is done in your browser; your data is not sent anywhere. You can also save the page and use it locally.

The algorithm is extremely simple. The given password is the base64 encoding of the SHA-256 value of the string "domain name|master password\n".

Because SHA-256 is a cryptographic hash function, this makes it hard computationally to find back the master password and the original string, thereby ensuring that if a password is compromised, others remain safe.

Because base64 encodes bytes using alphanumeric characters, “/” and “=”, the resulting password contains at least a lowercase letter, an uppercase letter and a digit, with probability almost 1, which makes it fit into most password rules. (There is always a non-alphanumeric character, too, since the base64 encoding always ends with an = sign, as a SHA-256 value has 32 characters, which is not divisible by 3.)

And because SHA-256 and base64 are almost universally available, you can also compute the password, e.g., in a Unix shell, using

echo "domain name|master password" | cksum --base64 --algorithm sha256

Note, however, that no per-password salt is used, since this would defeat statelessness. The master password therefore needs to be very strong.

One could argue for the use of a hashing function that is harder to compute than SHA-256. This page uses SHA-256 for simplicity, ease of maintenance and ease of auditing because it is available in native browser APIs.

Don't take my word for it, though; read the source code of this page, which is about 150 lines of simple, self-contained HTML including 20 lines of simple JavaScript with zero dependencies.


I have not asked cryptography experts to review this. It fits my personal needs and satisfies my appeal for maximum simplicity. Use at your own risk. See LessPass for a similar generator that is probably more secure (at the price of not making passwords as easy to compute in a terminal).

License: BSD Zero-Clause