Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Password manager without a password manager


Since password managers are big and complicated and I currently am pretty bored since I am sitting in a car for a few hours, here is a simple algorithm to generate resource-specific, unique passwords using a master password and no password database.


As pointed out here: this method is broken.


Simply paste the following line into a shell, type your master password (correctly, please, for there are no safeguards in place to protect you from typos) and press [enter] [ctrl-d] and you will be provided with a secure password specific for

(sha512sum ~/.salt -<<<;sha512sum -)|cut -d\  -f1|sha512sum|cut -c-32

Please not that this line will produce the same password every time you invoke it, provided that nobody messed around in your .salt file and you still remember your master password.

The salt can be pretty much any immutable file (i.e. .jpg and other files which tend to be modified by programs because of stored metadata are a really bad idea), as long as it is more or less unique. I generated mine with the following command line:

(dmesg;env;head -c16 /dev/random)|sha512sum>>~/.salt; chmod 400 ~/.salt

Under certain circumstances, this line may take a few seconds while /dev/random gathers entropy.

Principle of operation

The password generate takes hex sha512-hashes of your salt file, your master password and the resource name you wish to generate a password for (i.e. e.g. a domain name), concatenates them one per line, hashes the result and takes the first 32 characters of the result's hex value. The resulting value is dependant on each of the three variables and no one of the variables can be computed from it (these are properties of cryptographic hashes as sha-512 is one). Obviously, the process could be improved if you would find a portable way to encode the resulting hash in a charset consisting of more than 16 digits, for then the resulting password could be made significantly shorter than 32 characters without loosing any entropy compared to now.

The salt file generation takes your dmesg (system-specific), your env (user specific) and a few random bytes (random), concatenates and hashes them, and puts the hash's hex string into the salt file.

Copy link

MatthewWilkes commented Aug 13, 2012

I like this idea, I was about to comment on it saying that it won't work in practice because lots of websites put in restrictions on your password (8-10 characters, no special chars, at least one number, anyone?), but it occurs to me that it should be relatively simple to write a filter program that takes the password this generates and modifies it to fit in the rules (while maintaining the maximum entropy it can). That could even keep a note of password length rules for various sites, so you don't have to look them up every time.

Copy link

jeremyjh commented Aug 13, 2012

So this is less complicated than using Lastpass? Seems like it is more complicated without being more secure. I've still got to keep track of my master password, now I also need to remember what I used for a .salt and make sure I've got backups of that. I also would need to keep track of any transformation rules applied as Matthew points out.

Finally, I'd have to run this every time I want to login to the site, then copy the password from my terminal and paste it into the password box the screen.

I'm glad you found a way to occupy yourself on your trip but this is really not noteworthy.

Copy link

hellerbarde commented Aug 13, 2012

@jeremyjh it's a shame you couldn't envision a way of integrating this into your workflow. That doesn't mean it's not an interesting idea or not noteworthy. I for example find this very intriguing, because contrary to Lastpass, this is Open and Free.

Cheers to @jaseg !

Copy link

nnutter commented Aug 13, 2012

Others have had similar ideas, e.g. PwdHash only uses an MD5 which we know is quite weak but I think the idea is that a randomized attacker would not know that you use PwdHash and would therefore not try to attack your resource specific password in an attempt to gain your master password. PwdHash uses an algorithm to strip a URL down to its "domain" only with your master password serving as a salt for the MD5 hashing.

Copy link

nnutter commented Aug 13, 2012

Also, PwdHash also tries to minimize the occurrences of "8-10 characters, no special chars, at least one number" problems by forcing a mixture of capitals and numbers post-hashing. It will also force special characters if your master password has a special character.

If you are interested there are several implementation of the algorithm on GitHub and there are browser extensions and mobile apps.

Copy link

aethertap commented Aug 13, 2012

I like it. Might be handy to make a couple of small adjustments -- put the salt file under version control, and add a way to change the passwords on a regular schedule (maybe add the year rounded to the nearest six months to the hash input -- 2012.0 2012.5 2013.0 etc). The scheduled change thing would be a reminder to change passwords, and would also satisfy the few sites out there that require passwords to change periodically.

Copy link

shaneharter commented Aug 13, 2012

LastPass is free on your desktop. And paying for Premium is very inexpensive. That said, I'm all in favor of hacking together solutions for fun and profit.

Copy link

bitmonk commented Aug 13, 2012

LastPass was hacked not too long ago. That's the strength of a crypto algo over a database..

Copy link

ayust commented Aug 13, 2012

This seems quite similar to

Copy link

evanrelf commented Aug 13, 2012

Isn't this just a simplified version of Vault?

Copy link

jroes commented Aug 13, 2012

Hey, I really like your idea and I went ahead and transcribed (most of) it into a RubyGem.


$ gem install passwordy
$ passwordy
<enter master password>

Copy link

corroded commented Aug 13, 2012

Just a clarification, this produces a 32-character password? Most sites don't accept passwords that long, although 16-char ones are accepted. I like the idea of the length of the pass vs the complexity of its characters. Also, if you're on OSX(I'm pretty sure there's a linux port of this) you can just pipe everything to pbcopy so you automatically have it on your clipboard. Best way would be to create a one-two char alias in your shell, something like op so you can just fire your terminal (i use ctrl + ~), type op (or you can even add aliases to sites: fb for facebook etc) then boom, you got your password on your clipboard. 4 keystrokes + the site name/alias vs your 8-16 char password? I'd take this any day :)

Great idea!

Copy link

corroded commented Aug 13, 2012

And look, it's now a gem! Thanks @jroes!

Copy link

myano commented Aug 13, 2012

I don't see why people would rely on a third party service like LastPass. You are relying on their uptime to access your passwords, when I could use KeePassX and put my .kdb file everywhere I expect to use it. (Yes this may be a bit inconvenient, but the advantage here is if something happens to one of the copies of .kdb (ie it's destroyed or wiped) I have a backup located elsewhere and typically further encrypted past what just the application offers.

As far as generating passwords I think this is a nifty idea, definitely not a bullet proof idea. Then again, no solution is the perfect solution. What works for me might not work for others, and vice versa.

Copy link

JensRantil commented Aug 13, 2012

This is a great idea! I like it! Something that concerns me a little is the fact that sha512sum is limited to output characters [0-9][a-e]. This makes a generated password way weaker than it has to if a longer SHA512 sum could be reduced a shorted password with more characters that would be awesome! Could probably be done using an awk script.

@corroded and @MatthewWilkes: Once could possibly create another file that maps webside => password length. This would solve the issue of remembering the length of passwords for different websites.

Copy link

bluesmoon commented Aug 13, 2012

hex is restricted to 16 symbols though. better to use a base64 representation of the hash...

ps: it is 4:15am where i am, so...

Copy link

andreyvit commented Aug 13, 2012

@myano I guess we're less concerned about temporary unavailability (for which LastPass has a solution which few people use), and more about keeping them in sync across all devices and about the cognitive burden of having to deal with backing them up. And LastPass Premium has benefits like secure sharing.

But yeah, if the salt could be derived from something (like your personal info) so that it can be recovered, and if the master password is remembered by a browser extension, generated passwords could be a very nifty way to deal with the problem.

Copy link

dogeared commented Aug 13, 2012

If anyone's interested, I created a chrome plugin that generates high quality passwords conveniently. You put in a long secret phrase which will stay in memory for a configurable amount of time. In the password field of site you wish to log in to, you type a nickname and then hit a key sequence (default is: Ctrl+Option+Command+A) to generate a password using the secret combined with the nickname. Dig it:

Copy link

eric-brechemier commented Aug 13, 2012

I created an open-source project using a somewhat similar approach, using different hash algorithms for passwords with different sizes and ranges of characters:

GitHub Project:

Copy link

Friz-zy commented Nov 4, 2012

Hi, the python version of sha512(sha512("salt" XOR "nick : site") XOR "pass")[:32] algoritm now in and

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment