• R/O
  • SSH

MakePW: Repository summary

The main repository. Contains both Python and Javascript implementations.

Recent Commits RSS

Rev. Time Author Message
36f0a3797a02 2019-04-08 05:43:51 Eric Hopper tip Added tag 2.0.1 for changeset 32b18f72c276
32b18f72c276 2019-04-08 05:29:04 Eric Hopper 2.0.1 A MANIFEST.in to exclude .hg droppings and Javascript ver...
de303b7fa65c 2019-04-08 05:13:10 Eric Hopper Update version in setup.py for bugfix.
b25dca2d17f2 2019-04-08 05:00:02 Eric Hopper Merge in mysterious stray changeset from github.
411c4460828d 2019-04-08 04:41:53 Eric Hopper Add test for word_data in makepw.
e04f5bd5aee1 2019-04-08 04:41:43 Eric Hopper Remove comment by tool.
4e7a05a685e2 2019-04-08 04:32:59 Eric Hopper Remove uncessary fixture from test.
8aa0e71678a0 2019-03-30 16:47:18 Eric Hopper Fix XKCD format password generation in Python3.
08390ed953e2 2019-03-30 16:47:03 Eric Hopper Add a test for XKCD format passwords.
e425cb843810 2019-02-25 04:18:41 Eric Hopper Added Mercurial tag 2.0 for changeset 47cc9dd819aa

Recently edited Tags

Name Rev. Time Author
2.0 47cc9dd819aa 2019-02-25 04:18:35 Eric Hopper
2.0.1 32b18f72c276 2019-04-08 05:29:04 Eric Hopper
tip 36f0a3797a02 2019-04-08 05:43:51 Eric Hopper


Name Rev. Time Author Message
default 411c4460828d 2019-04-08 04:41:53 Eric Hopper Add test for word_data in m...


MakePW Secure Password Generator


A Python command line utility I put together so I can use a master password and have it generate a site specific password for each site that needs a password. I'm in the process of adding a Javascript implementation for use in a web browser and and an Android applet implementation.

The passwords generated are carefully massaged to try to fit just about every site's password requirements and keep at least 60 bits of entropy in every password.

It should work both in Python 2.7 and any version of Python 3.

How To Use It

Example Usage

$ ./makepw.py -e --site=google.com
check_site hash is: 4Uwtzpj+3Jt0Jp

The check_site hash uses a fixed and special site name to hash your master password. This allows you to see if you've mistyped your password without revealing what it is. The check_site hash should always the same for a given master password.

In this case, 6TsgvLT+vbXZSw is the password you should use for Google. You can specify whatever you want to for the site name. It is mixed with your master password in an irreversible way to generate the site password.

Program Help Message

$ ./makepw.py --help
usage: makepw.py [-h] [--iterations ITERS] [--site SITE] [--extra] [--old]
                 [--format FORMAT] [--list-formats] [--random] [--no-check]

Generate a site password from a master password and a site name.

optional arguments:
  -h, --help            show this help message and exit
  --iterations ITERS, -i ITERS
                        Number of hash iterations. Defaults to 200000. For the
                        original behavior of a non-iterated hash, use an
                        iteration count of 0.
  --site SITE, -s SITE  Unique site or account identifier, usually the last
                        two components of site domain name (aka slashdot.org).
  --extra, -e           Backwards compatility - equivalent to --format
  --old, -o             Use old non-PBKDF2 function for generating the
                        password. Not relevant with -r
  --format FORMAT, -f FORMAT
                        Output format of resulting password. Defaults to
                        'stupid_policy13'. Use --list-formats for a list of
                        supported formats.
  --list-formats, -l    Print out a list of supported formats, like --help,
                        this short-circuits any other function.
  --random, -r          Use the OS secure random number generation to creae a
                        random password instead of asking for a master
                        password. Useful for generating master passwords, or
                        with the xkcd algorithm. Implies --no-check and
                        ignores the site name and --iterations.
  --no-check, -n        Do not print out hash for check_site site. This hash
                        can help you tell if you entered the wrong password.

How It Works

When not using --random mode, it uses the PKCS#5 v2.0 PBKDF2 with a large (but configurable) number of iterations to make sure that even if an attacker manages to get the plaintext password for a given site, it will be practically impossible for them to reverse the hash and figure out the master password.

Known Bugs

It has a small bug in which it skips 'Z', 'z' and '9' for generating the uppercase, lowercase and digit characters. When implementing this for some other language, this this bug should be faithfully replicated to maintain compatibility and allow people to use any implementation for re-creating a password they created with a different implementation.

Show on old repository browser