Everyone should be using a password manager, but most people don't, because of the fears of:

Hpass is a password manager that does not store passwords. Instead, it generates them. You provide it with a master password and a domain name, and it returns a secure password for you to use with that domain.



The way Hpass generates password can be reproduced in one single command line:

echo -n $DOMAIN | \
    openssl dgst -$HASHTYPE -hmac $MASTER -binary | \
    openssl enc -base64 | \
    cut -c1-$LEN


Upcoming features

Currently, if one of your generated password is compromised, there is no way to change it in Hpass without changing your master password. To solve this problem, next versions of Hpass should include a concept of password version. The password version will be number, starting at 0 and being incremented everytime you want to change this password only. Hpass would remember this number and use it in the password generation.

The reason why the version of a password will be deterministic is to prevent you against data loss: if you lose the data associated with the app, you will just have to bump a few versions until you can regenerate the correct password!

In order to make it convenient, Hpass will synchronize the version numbers through a secure anonymous data store. This data store should be seen as a synchronization method, not as a backup! More info on minibackup.chmd.fr.


You can browse the code on git.chmd.fr. To clone it:

git clone http://git.chmd.fr/hpass.git

What about supergenpass?

Hpass was inspired by various extensions and bookmarklets (the most famous being Supergenpass, but there are others). Supergenpass sucks in many aspects:

  1. The algorithm is not proven to be secure (See why).
  2. Supergenpass bookmarklet implementation can leak your master password (See how).
  3. The algorithm is not easily reproducable (no shell one-liners are available)


Useful informations: