DEPRECATION

Due to introduction of Manifest v3, and the Argon2 library now depending on WebAssembly which cannot be safely used in an extension (requires an unsafe option in the Content Security Policy), this extension is now deprecated.

You can however always regenerate your passwords using a shell command on Linux, or the web version of this tool (run ./pack.sh then view index.html in a browser). Thus, you should not lose access to your accounts due to this deprecation.

A shell script tool is also provided for Linux or Chrome OS users in the file sitepw, which can be used as follows:

Write your master password into the file ~/.sitepw
Run ./sitepw hostname.com
View the password in your shell.

Alternatively, running ./sitepw without arguments will take the current web URL from the clipboard and paste its password into the clipboard.

SiteHashPW

A hash based password manager that generates unique passwords per website instead of storing them in a database.

Given a site's domain of origin and a master password, this password manager computes a unique password per site. That way, the master password is not exposed to the sites, and you neither have to store nor remember all the per-site passwords.

Features include:

Three hash functions to choose from: Argon2id (secure, with 3 sets of parameters), PBKDF2 (medium, old style) and HMAC-SHA-256 (very fast but not very secure unless your master password is very long).
Support for two master passwords to allow migrating all sites to a new master password. Master passwords are never synced.
Master password can be stored in the local browser, or asked every time.
Storage and sync of per-site parameters, including site-specific password length, generation and hash function.
Password generation is simple to describe - UNIX commands can be shown to generate passwords easily even without this extension. Print those out, and you can still generate the same passwords 50 years from now with who knows what kind of computer!

You can install it from the Chrome Web Store.

Usage

Extension

To set up a master password that's saved on your machine, visit the extension options and enter it there.

To obtain a password:

Open the site you want to log in to.
Enter your username into the site's username field.
Click/select the site's password field.
Click the extension icon in the browser bar.
In case you have not set up a saved master password, you will be prompted for it.

The password will be filled in automatically.

Web Version

The web version can generate a bookmarklet for you: copy the "bookmarklet" link to the clipboard. This you should then bookmark in your browser; make sure the "URL" starts with JavaScript:, and add it if it's missing.

Then to obtain a password:

Open the site you want to log in to.
Open the bookmark from that window.
In the new window, enter in your master password as well as possible settings for this site.
Copy the password from the bottom right field to the clipboard.
Enter your username into the site's username field.
Paste the password into the site's login field.

Common Tricks and Workarounds

In case the site does not accept pasted/autofilled passwords, add these steps:
- Click the site's password field again.
- Type a character, and delete it again.
This works around many sites that do not support automatic filling of password fields.
In case the site does not accept a password generated by this extension due to password policies, go to the options and increment the site's generation number until it is accepted.
For maximum security when using the extension, do not fill in the master password, and instead prepend a "user salt" to the per-site password. This will then require knowledge of two secrets to generate a password, one of which you store on your computer (the "user salt") and one of which you enter every use.

Building

git submodule update --init --remote
./pack.sh

Installing

After building:

Either load the directory as unpacked extension into Chrome.
Or just view the included index.html in a browser. You may host it on your web server, but never use a version hosted by someone else, as there is no way for you to ensure integrity of a hosted version!

Requested Contributions

The following additions would be very welcome:

More hash functions. To support the "UNIX command" way, only hash functions are acceptable that have a UNIX command to generate them available in common Linux distributions; but there might be more than just openssl and argon2 that one can use :)
Compatibility with other extensions. Especially UniquePasswordBuilder has earned my respect, and I already have a shell script prototype reimplementation of it to use as UNIX command "backup solution".
It would be really cool to migrate this to the Web Extension API for Firefox support (including mobile).
In the same vein, a progressive web app could be cool, as that would allow storing the app and its settings on the phone. With the Web Share Target API this could be very usable as well then.

License

See the license file.

divVerent / sitehashpw