New Feature: Password Manager

Wouldn’t it be great to remember only one password, but use a different password for each site?

Most definitely, it would be great! Especially with the increase of high-profile hacking incidents, it’s becoming even more important these days not to re-use a password. That way, if your password is compromised for one site, then it won’t be compromised for all others.

“Remember a new password for each site?”, we hear you cry! Yes, it’s impossible to remember a new password for every site that you register with, so that’s why you may need a Password Manager.

This was one of the most requested features, and we thought that this would be an awesome addition.   So we’ve added a new ‘Password Manager’ feature under the new Tools tab.


So how is it different to a normal password manager?

The main difference is that your master password is never sent, stored or transmitted in any form. Not even the ‘hash’ or signature. Nothing. Everything done on the client-side.

The generated password will always contain at least one number, one upper case character and one symbol. We may add fancy options later for this, but right now, lets keep things simple to just one option.

Yes, we know –  These rules that most websites impose don’t make sense for us, because there is always a chance that our Password Manager may generate a super strong password even without numbers, upper-case and symbols. In fact, in some cases, websites who impose these rules may unintentionally reduce the search set so that a cracker doesn’t have to try all the combinations…

How to use it?

Type in the domain name of the site asking for login and enter a very strong Master Passphrase.

You may copy and paste the url or host name of the site that is asking for a password. There will be a counter showing how many characters the new password will be. The minimum is 8 characters. If you want to have a longer password, just type in a longer Master Passphrase.

How does it work? (Warning: Nerd Talk ahead)

You may wonder about the technical details. Here is how it works:

1. A hash is taken from the Master Passphrase using SHA256 algorithm.

2. The hash from step 1 is passed through 10,000 rounds of HMAC-SHA256, this process is mainly for key stretching (see The domain name is used as salt.

3. The hash from step 2 is used to to generate a new password. The domain is used as the salt, again.

4. If a password is not found according to the rules, repeat step 3, but this time change the salt by appending a counter.

– From a 256bit value, the generated password is converted from base 16 to a base of the following alphabet: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`~!@#$%^&*()_-+=}]{[;:”\’?/>.<,

– All this is done in your browser using Javascript.

One final note. This tool is in beta and doesn’t guarantee anything or carry any warranty. Use at your own risk. Although this should be perfect for most Guerrilla Mail use cases.