Ailyaut's blog

pwgen

Disclaimer 1: this is not pwgen, sorry for the confusing name, I will change it.
Disclaimer 2: I wrote this in 2023. What I consider "secure" has changed a lot since then.

'An easy to use secure password generator.'
– me in 2023

Why?

In 2022, a site on which I had an account was hacked. A lot of user information was stolen, including email addresses, IP addresses and passwords. Unfortunately I was the kind of person who always uses the same password on all sites, and that password had just been compromised.
The obvious solution would have been to use a password manager, but I wasn't comfortable with the idea that all my passwords would be protected by one single master password.
So I came up with a solution that allows me to always use extremely strong passwords, all unique, without having to memorize anything complicated.

How does it work?

The principle is ridiculously simple.

The application just creates a hash of what the user enters with the SHA-1 algorithm. Since the slightest change in input gives a completely different result, it is very easy to create unique passwords. For example, you can start with a very bad password, like “1234”, and then add the name of the service you are creating an account for, like Netflix.

The result of the following input:

1234+netflix

will be:

84b55c61cb905355057e2995c13ae833ba7d2850

Which is quite strong!

Now let’s say we want to create a password for Gmail.
We can input the following:

1234+gmail

which gives us:

77b4f11c48a113adf628bf55510d5cbe5af1e15d

A completely different result, even though we started with the same simple password.
Moreover, there is no need to worry about a password being compromised anymore: it is impossible to recover the original input from the hash, so the simple password “1234” can never be guessed by an attacker in order to deduce your other passwords.

How would I remember such a long password?

That’s the best part! You don’t!
Each time you need to log into an account, you can launch the app and type your simple password, like “1234+gmail”. The output will be exactly the same as when you first generated it! This is one of the proprieties of a hash: a same input will always give the same output.

Limitations

----- 2025 edit start -----

Hashes only use a very limited set of characters (1-9 and a-f), which makes it easier to brute force the password despite the string being 40 characters long if the attacker knows that the password is just a hash.

I am no cryptography expert, but I see two ways of attacking such a password:

  1. Guessing the input password using social engineering or other compromised passwords and then hashing it to try it (still more expensive than just trying passwords directly).
  2. Brute forcing the final password directly, knowing that it has only a very limited set of characters.

To improve on the current design, I could use each two-character sequence of the hash as a hex code for an ASCII character and create a new string that would be the addition of those ASCII characters. This way, the password wouldn't look like a hash if it got exposed (so the use of this application wouldn't be as obvious, and the attack #1 wouldn't be attempted), and it would also be computationally more expensive to try passwords by guessing the input string if there are more steps than just hashing (this would make attack #1 more difficult). It also solves the problem of attack #2 by using a much wider set of characters.

----- 2025 edit end -----

Try it!

You can try the current version for yourself!
I made a GUI application for Android, Windows and Linux (X11) using Godot Engine.
There are also 2 CLI versions in Rust and Golang, because I tried to learn these languages at some point.
I decline any responsibility in case something bad happens with this app. Use it at your own risk.

Downloads will be available later.

My role

Programming, UI

Software used

Godot Engine (for GUI version)