How does it work?
A piece of javascript code that we run on the page you're currently viewing.
Cookie -> Domain
We use a pre-expired cookie to determine the domain
Salt (Master Password) + Domain -> Hash
The contents of your input field (the salt) are combined with the current domain and SHA1-hashed to
produce a unique output.
Hash -> Template
The hash is compared to a series of potential templates, and then applied to those templates to
produce a series of passwords.
Display
An overlay is produced on the current page displaying your password.
Limitations
This system is not secure
AlgoPW is convenient, consistent, and usable. It is not secure. By using the same system to produce
passwords for every site, If someone found your system, they could easily hack every site you visit.
However,
anyone who steals a set of passwords from a site will likely be unable to determine your password,
and your passwords at other sites will probably not be compromised.
Bookmarklets are dangerous
Running
code you don't understand on the webpage is dangerous. This is the same for browser
extensions, buttons and links you don't know, etc.
Click here to see my source code and decide
if you can trust it.
Subdomains all get the same password
In some cases, this is convenient. Both mail.google.com and calendar.google.com produce the same
password, which is correct and useful.
In other cases, different subdomains are different sites.
Both site1.weebly.com and site2.weebly.com will receive the same password, which is technically a
security flaw.
Aggressive sites won't work well
Some sites like USAA.com require you to change your password regularly. This is inconvenient as if
you change your master password you have to change all sites using AlgoPW.