PasswordShaker

Introduction

This is the PasswordShaker page popup for a standard configuration. It requires the master password to be entered twice for verification.

Passwords are the number one authentication tool on the web. Chances are, if you lead even a moderately connected online life, you have a password-protected account on at least a dozen different websites. And if you have not been using a password manager, chances are that you are reusing the same password (possibly with simple variations) across multiple websites.

PasswordShaker is a hash-based password generator (an idea also known as “deterministic password manager”). It generates site-specific passwords for you based on a single master password that you supply. As such it does not employ any sort of password database, and neither does it have to keep track of the sites that you use it on.

The name pays homage to PasswordMaker, another password generator browser add-on that I used for many years before it was rendered unusable by the march of technological progress, which inspired the creation of PasswordShaker.

Features and Customizability

The PasswordShaker settings allow you to configure the parameters for your password generation as well as the appearance of the page popup. Several modern key derivation algorithms are available for you to choose from. You can also adjust the cost factor if you’d like to make your passwords more resilient to brute force attacks.

Pros and Cons of Password Generators

Avoiding the reliance on a password database is the central advantage that password generators like PasswordShaker have over conventional password managers. As a result, the biggest argument for a password generator is that you are independent from your device and you don’t need to make sure that your password safe is backed up, synchronized, and so on. Also, password generators do not need to keep any sort of list of your accounts, so as a secondary advantage, an attacker cannot find out on which sites you have an account, even if all your data falls into their hands. This little bit of added privacy may be appealing to some.

These advantages carry with them a number of disadvantages, which you should be aware of before you decide to use a password generator.

• Because they are mathematically generated, you cannot easily change one of your passwords. If your password on a website you use gets compromised and you have to start using a new one, a deterministic password generator like PasswordShaker will just keep generating the same password for the site. The only thing you can do – other than making small adjustments to the generated password by hand and remembering them – would be to change your master password (or your password generation settings), thereby changing your generated passwords for every website.
• Some websites have specific password requirements such as odd minimum or maximum password lengths or overly specific minimum or maximum counts of particular character classes. In general, PasswordShaker has no way of knowing the site’s specific requirements, which may sometimes lead to you having to make adjustments to the password by hand. PasswordShaker attempts to mitigate this problem by including a curated list of password requirements for some of the most commonly-used websites, but this list will never be complete.
• A special case of odd password requirements is when websites issue you a password that you cannot change. While this is generally considered a poor security decision on part of the website, it is a reality that some of us have to accommodate. Storage-based password managers can save those passwords for you the same as any other, but PasswordShaker and other password generators cannot assist you in managing them.
• PasswordShaker’s default configuration aims to provide you with password generation settings that should be reasonable for most users. However, if you make changes to the settings that influence your generated passwords, you will need to remember those settings when installing PasswordShaker on a new device to be able to access the same passwords. In a sense, if your settings are so complex that you need to keep a backup of the settings file, you lose the advantage of being able to recover your passwords from only your memory on a new device. At that stage, a storage-based password manager may look more favorable.
• If your passwords are randomly generated, a malicious website cannot use one of your generated passwords to attempt to unlock access to your passwords for other websites. However, if an attacker is aware that you are using a hash-based password generator and they gain access to one or several of your generated passwords, they could attempt a brute force attack to guess your master password by finding one that generates the same passwords for the same websites. If an attacker manages to uncover your master password, no matter if it’s by this way or any other, they can generate any website password derived from it.

This list of properties is not necessarily complete, but it should hopefully provide you with enough information to make an informed decision. If, after reading all this, you have come to the conclusion that you would like to use PasswordShaker for your password generation needs, you can get it for Firefox.

Project Perspective

This is how I have configured my PasswordShaker popup. Instead of entering the master password twice, I verify it using a hash visualization.

Even though it was created out of pure practical necessity, I really poured my heart into this project when I got started with it. If I may say so myself, it shows in the user experience and in the quality of things like the documentation. I don’t know if I can recommend the concept of a deterministic passord manager to all users, but at least for previous users of PasswordMaker it should offer a good replacement.

There are currently no urgent issues with this add-on on my agenda and the usage numbers according to Mozilla are pretty low, so I have no immediate plans to make changes to the add-on. Hopefully one day I’ll add customizable site-specific rules to the settings page (currently the site-specific rules are pulled from a static database that the user cannot modify). That would be one nice new feature to have that I sometimes think I would enjoy. Other than that though, I’m pretty happy with what it is.

Side note: PasswordShaker was what prompted the creation of Mosaic Visual Hash, which I liked enough to extract it into its own little project.