PasswordShaker

PasswordShaker is a deterministic password generator that derives passwords from the hostnames of the sites you visit. It is an inofficial successor to PasswordMaker.

Introduction

PasswordShaker popup window showing the master password entry fields, metadata for the current site, and an OK button

This is the PasswordShaker page popup for a standard configuration. It requires the master password to be entered twice for verification.

Passwords are the number one authentication tool on the web. Chances are, if you lead even a moderately connected online life, you have a password-protected account on at least a dozen different websites. And if you have not been using a password manager, chances are that you are reusing the same password (possibly with simple variations) across multiple websites.

PasswordShaker is a hash-based password generator (an idea also known as “deterministic password manager”). It generates site-specific passwords for you based on a single master password that you supply. As such it does not employ any sort of password database, and neither does it have to keep track of the sites that you use it on.

The name pays homage to PasswordMaker, another password generator browser add-on that I used for many years before it was rendered unusable by the march of technological progress, which inspired the creation of PasswordShaker.

Features and Customizability

The full PasswordShaker settings screen showing a multitude of options and links to documentation

The PasswordShaker settings allow you to configure the parameters for your password generation as well as the appearance of the page popup. Several modern key derivation algorithms are available for you to choose from. You can also adjust the cost factor if you’d like to make your passwords more resilient to brute force attacks.

Pros and Cons of Password Generators

Avoiding the reliance on a password database is the central advantage that password generators like PasswordShaker have over conventional password managers. As a result, the biggest argument for a password generator is that you are independent from your device and you don’t need to make sure that your password safe is backed up, synchronized, and so on. Also, password generators do not need to keep any sort of list of your accounts, so as a secondary advantage, an attacker cannot find out on which sites you have an account, even if all your data falls into their hands. This little bit of added privacy may be appealing to some.

These advantages carry with them a number of disadvantages, which you should be aware of before you decide to use a password generator.

This list of properties is not necessarily complete, but it should hopefully provide you with enough information to make an informed decision. If, after reading all this, you have come to the conclusion that you would like to use PasswordShaker for your password generation needs, you can get it for Firefox.

Project Perspective

In this version of the popup, there is only one master password field, but also a colorful hash visualization on the right side

This is how I have configured my PasswordShaker popup. Instead of entering the master password twice, I verify it using a hash visualization.

Even though it was created out of pure practical necessity, I really poured my heart into this project when I got started with it. If I may say so myself, it shows in the user experience and in the quality of things like the documentation. I don’t know if I can recommend the concept of a deterministic passord manager to all users, but at least for previous users of PasswordMaker it should offer a good replacement.

There are currently no urgent issues with this add-on on my agenda and the usage numbers according to Mozilla are pretty low, so I have no immediate plans to make changes to the add-on. Hopefully one day I’ll add customizable site-specific rules to the settings page (currently the site-specific rules are pulled from a static database that the user cannot modify). That would be one nice new feature to have that I sometimes think I would enjoy. Other than that though, I’m pretty happy with what it is.

Side note: PasswordShaker was what prompted the creation of Mosaic Visual Hash, which I liked enough to extract it into its own little project.