MultiPass is a simple, secure, portable app which combines a secret master-password with the name of any number of websites you need passwords for, to create unique, secure passwords for each website. All you need to remember is your master-password and the name of the website and you can re-generate all your secure passwords.
Why? - How? - Usage - Features - Changelog
Get MultiPass: Windows - Linux - JavaScript
If you visit lots of websites you'll need lots of user accounts, which means lots of passwords. The problem is we don't have perfect memory, so we end up compromising in some way:
An ideal solution would need a few features:
The user provides the master password and the name of the site/application which
the password is meant for. The two parameters are hashed into a sequence of bits, which is reduced into a password.
This generated password cannot be used to find the master-password or any other generated passwords.
Put more simply: Master-password + URL -> Scramble -> New password for URL
Nothing needs to be stored, nothing can be lost: As long as you remember the master password you'll be able to regenerate all your passwords at any time, yet each password generated will be unique and secure.
The code used to do this is simple and portable enough to be implemented in the browser using JavaScript (see below), so it can be implemented however/wherever required.
- Open
- Enter password
Choose a master-password: This must remain secret and not be
used elsewhere, and like all passwords it should be long and secure.
The scrambled master-password on the right is the confirm-code, used later to check that the
correct password has been entered.
- Confirm
Now the master-password is confirmed by entering it again, to make sure there were no typos. The two confirm-codes match, so URL/name is enabled.
- Enter URL/Name
Anything you need a password for can now be generated here: Just type the URL/name in and the master-password and URL/name will be combined and scrambled to generate a secure password.
- Generate many secure passwords
By clicking Save to save URLs/names you don't have to enter the full name in every time you need the password. All the URLs/names you save are saved to the drop-down list.
- Open again to retrieve passwords
When you open it up the next time the confirm-code is still on the right.
- Enter password
As you enter in the master-password you chose last time the
new confirm-code is checked against the saved one.
(If the master-password is forgotten the confirm-code won't
be any help in getting it back.)
- Generate/re-generate passwords
Once the new confirm-code matches the saved one you must have entered the correct master-password, so your password is instantly confirmed without typing it again.
URLs/names and confirm-codes are stored only to make things faster; all you need
to know to generate your passwords is the master-password and the URLs/names.
You can try this out for yourself: Use a master-password of "atestpassword", and a
URL/name of "http://kestas.kuliukas.com/MultiPass/", and you'll get a generated password
"FXdxJw4Jz2"
.. for Windows
Install MultiPass. Download MultiPass standalone exe. Download MultiPass source code.
.. for Linux
MultiPass on Ubuntu Linux 10.04 via Mono.
Having to briefly go back to Linux recently I expected I'd need to rewrite this in Java to get access
to all of my passwords, but I was stunned at how effectively MonoDevelop imported the Visual Studio
solution, compiled it into a .exe that runs on Windows and Linux (via mono) without any changes to
the source required.
After this I found that even that wasn't necessary, and that mono can run the Windows compiled exe file
below, which is pretty impressive.
So; download MultiPass.zip, extract MultiPass.exe, ensure Mono is installed,
and run it using:
$ mono MultiPass.exe
.. in JavaScript
This JavaScript web-browser MultiPass implementation gives a good demo of what MultiPass is, and shows the simplicity and portability of the algorithm. For security and convenience reasons it isn't intended as an alternative to the actual app, just as a demo.
It could be used as a last-resort if you are unable to run programs on a computer but need to know passwords (the reason it was made), but only if you have downloaded and checked a copy of the .js files from a trusted connection.
Do not enter a master-password which you use for serious passwords into any remote web-page, ever!
*Thanks to Paul Johnston for this JavaScript MD5 library.
The passwords generated are the same as the app itself, given the same inputs; try "atestpassword" and "slashdot.org" as in the screenshot above.