Who are you?

This site was made by James Coglan. I write open-source software for the Web.

Why should I trust you?

This site does not store or transmit any data you enter into it; the information you type in never leaves your computer. It contains no analytics scripts, tracking cookies or other pieces of spyware. The passwords it generates are much more secure than most people use, against brute-force attacks, dictionary attacks and password database theft.

According to Dropbox’s zxcvbn password strength measure, if your dictionary English password takes about a second to crack, those generated by Vault take over a million times the age of the observable universe to crack by brute force.

Fine, but I still don’t trust you.

And why should you, after all I am just some guy from the Internet. However, this software is open-source (released under the GPL license) and you can take a look at its source code. The site is a few simple static files that anyone is free to host themselves.

How does it work?

It takes your passphrase and a service name and generates a hash from them using PBKDF2. It then encodes the bits of this hash using a 94-character alphabet, subject to the given character constraints. This design means that each password is very hard to break by brute force, and ensures that the discovery of one service’s password does not lead to other accounts being compromised. It also means you can tailor the output to the character set accepted by each service. The use of a deterministic hash function means we don’t need to store your passwords since they can easily be regenerated; this means there’s no storage to sync or keep secure.

What can I use as my passphrase?

Absolutely any text you like. A good passphrase should consist of a few words you can easily remember but would be hard to guess, like a quotation or a song lyric.

Using a few words rather than some string of letters and numbers makes it easier for you to remember but harder for attackers to guess. But, many online services restrict the characters you can use, making you less safe. This tool lets you convert your passphrase into something each service will accept.

What should I use as a service name?

Again, this can be anything you like, it simply serves to modify your password and make it unique for every site you visit. Personally, I use the name of the site, as one word in lowercase, e.g. gmail.

If you want to make sure your password is completely unique, that is make sure that even if you and someone else have the same master passphrase and use the same service, you get different generated passwords, you can prefix the service name with your username, e.g. bob@gmail.

I also use a scheme to organise facets of a single group of passwords, for example at work I use songkick:ldap to log into our internal network, and songkick:blog to log into our Wordpress blog.

The important thing is that it be something easy to remember based on the name of the site. If you forget your passphrase or the service name, Vault cannot recover your password for you.

How am I supposed to remember the character settings for each service?

I’m working on that. In the mean time: just write them down. Unlike passwords, this information is public knowledge so it’s totally safe to keep them in a file on your desktop or a piece of paper in your wallet.

Is there a command line version?

Of course there is. If you have Node installed, run npm install -g vault. You’ll also want to take a look at the readme.