What is HPASS?

HPASS(™, ©) is a lightweight, intuitive, simple and easy-to-use tool to create and use strong and unique passwords. It is implemented as Progressive Web Application (PWA).

Why?

If you think there is room for improvement in your current approach to password handling, you may find HPASS helpful. One way to store and share passwords is by using a password manager. It is an often recommended and widely used solution, but not without problems.

HPASS(™, ©) uses an alternative approach with one major advantage: passwords are generated locally, on-demand, and never stored anywhere. For convenience, three generic settings ( Secret, Special Character, Length), to generate strong, reproducible passwords for any given site (defined by Hint), are stored (encrypted!) only on your local device. For extra layer of security two additional parameters are provided, which are never stored anywhere: Top Secret and Burn. See Help section for detailed description of all parameters and how they are used to generate passwords.

Typical usage

Assume you need a password for a website: URL=https://www.abc.com. You can simply enter abc as a password hint into "Enter Hint" input box and press generate button (). This will generate password and copy it to the clipboard - you can paste it where it is needed.

Note: You can use Second-level Domain (SLD) - "abc" in the example above - as a password hint, or any other string you can easily associate with a particular site. For example, "fb" for "facebook", "bofa" for "bankofamerica", etc.

Notes

The default values for Special Character (default: "_") and Length (default: 15) have been selected to be accepted by most sites, however, some sites do not accept all special characters, and some impose rather short maximum password lengths. For these sites you need to change these values and save them as site-specific settings.
The purpose of Secret is to create unique passwords for each user.
HPASS generates password from given input parameters through a one-way hash function The input parameters used to generate password cannot be recovered from the password string.

Your settings are encrypted

All settings used to generate passwords are encrypted (Master Password is used to derive encryption key) and stored locally on your device. Encryption is done using SubleCrypto interface to Web Crypto API using AES-GCM-256 algorithm. Master Password is hashed using SHA-512 algorithm and locally stored hash is used for password validation. Password itself is never stored.

Further security considerations

Keeping only local copy of any sensitive information is more secure and less tempting for any potential hackers then keeping it in a centralized location - just compare relative effort and payoff of breaking once into central database with millions of password vs breaking into millions of individual devices. However, no information is 100% secure if it is written down, and the only secure data is the one that is kept in your head (barring any mind-reading capabilities).

There is a trade-off between security and convenience. For those deeply concerned about malicious actors compromising their devices and stealing password generation settings, there are some extra steps you can take to achieve virtually 100% password security.

For example you can:

Use Top Secret and/or Burn for extra layer of security. These two parameters are never stored and removed from working memory immediately after password is generated.
Obfuscate secondary domain in some known only to you fashion e.g. append some character(s), insert space before the last character, use a nickname e.g. "cr" instead "consumerreports" for consumerreports.org
Use generated password as a hint and generate password again.

You can probably invent infinite number of similar simple mnemonic schemes to accomplish the same goal i.e. that the part of the whole password generating procedure is stored only in your head :) For sites which offer it, multifactor authentication (MFA) offers extra layer of security. However, rise of SIM swap scams in the 2021-2022 period, illustrates that MFA is not entirely fullproof.

Last, but not least, all HPASS code is open source - you can inspect it, comment on it, propose and contribute improvements.

Support

If you have any questions, comments, suggestions please send email to info@hpass.app. Answering all questions individually might be not feasible, but all concerns will be addressed in Frequently Asked Questions document.

Problems with password managers

You can find multiple sources discussing pros and cons of using password manager. Very short list is:

Pros: ability to share passwords, some offer encrypted storage for other sensitive information (credit card numbers, bank accounts, etc.)
Cons: vulnerability to hacking, safety, lock-in for browser build-in password managers.

Similar applications

SaltThePass - is a companion app for https://saltthepass.com. SaltThePass is a password generator that will help you generate unique, secure passwords for all of the websites you visit based on a single Master Password that you remember.
LessPass - generates passwords based on your master password, the domain of the site, and your username or email. It's a web-based tool with browser extensions and mobile apps.
Master Password - uses a master password, your name, and the site domain to generate passwords. It's available as a web app, desktop application, and mobile app.
Spectre - Instead of saving and sending passwords across the internet, Spectre calculates the password you need, only when you need it, then throws it away again.
SuperGenPass - generates passwords using a master password and the domain of the site. It's available as a bookmarklet and browser extension.
HashPass - Remember one master password to access all of your passwords, anywhere, anytime, on any device. Never storing any data or having to synchronize anything.
Password Hasher Plus - A browser extension that creates site-specific passwords based on a master password, the domain name, and other customizable parameters
PasswordMaker
SitePassword