Passhash Redux

Deterministic password hashing for the modern web

Generate unique, strong passwords for every site from a master key — never stored, never transmitted. Passhash Redux is a deterministic password hasher. Instead of storing your passwords in a cloud vault, it computes them on the fly from your master key and a per-site tag. The same inputs always produce the same password, so the only thing you need to remember is your master key. Your master key never leaves the extension — it lives only in the popup window, which runs in an isolated extension context that web pages cannot read. Only the derived password is sent to the page when you fill it. How it works: 1. Visit a login page — password fields show a blue pulse marker 2. Double-click the field, click the toolbar icon, or press the keyboard shortcut 3. Enter your master key (only ever typed in the extension popup, never in the page) 4. A unique password for that site is generated and filled into the field 5. Per-site settings are saved automatically so the same password is generated next time Features: • Multiple hashing algorithms: SHA-1, SHA-256, SHA-384, SHA-512, and Argon2id • Argon2id support uses RFC 9106 / OWASP-recommended parameters (64 MiB memory, 3 iterations) • Configurable password length from 4 to 26 characters • Character requirements: digit, punctuation, mixed case • Per-site special character filtering for sites with strict password rules • Hint feature: a 2-character preview lets you verify you typed your master key correctly without unmasking • Multiple ways to invoke: double-click, keyboard shortcut, toolbar icon, right-click context menu • Keyboard-friendly: tab to a password field, press the shortcut, hash fills the focused field • Works on iframes and inside open shadow DOM • Standalone HTML version included — a self-contained file you can use on any device with a modern browser, no installation needed • Import/export settings for backup or migration between browsers • Settings sync via your browser's built-in sync (no external accounts) • Also available for Firefox What makes it different from a typical password manager: Passhash Redux is not a credential vault. It does not store your passwords. There is no master vault to be breached, nothing to lose if your computer is stolen, no cloud account to compromise. Every password is computed deterministically when you need it, then forgotten. Your master key is the only secret, and it lives only in your head. Privacy: • Master key is never stored or transmitted • Site settings (algorithm, size, character requirements) are stored locally and synced via your browser's built-in sync, but no passwords are stored • No accounts required • No data is ever transmitted to any external service • No telemetry, no analytics, no tracking • No advertising • Fully open source (MIT licensed) This extension is a modern reimplementation of the original Password Hasher by Steve Cooper, rewritten from scratch for Manifest V3. Existing passwords from the original Password Hasher will work without changes. Frequently asked questions: Q: What if I forget my master key? A: There is no recovery for the master key itself — it's the only secret, and it's never stored. Without it, no passwords can be regenerated. You can export your site settings (algorithms, sizes, character requirements) for backup, but those settings are useless without the master key. Q: What if my master key is compromised? A: Change your master key. You'll need to update your password on every site you've used, since all generated passwords depend on the master key. Q: Can I use the same master key on multiple devices? A: Yes. The hash is deterministic — the same master key on any device produces the same passwords. Settings sync via your browser's built-in sync (Firefox Sync, Chrome Sync). Some users also choose to use different master keys for different categories (e.g., one for high-value accounts, another for low-value), since each master key produces a separate set of passwords. Q: Why does the extension need access to all websites? A: To detect password fields and provide the visual marker and double-click trigger. The content script only reads input[type=password] elements; it does not read other page content or send data anywhere. Firefox version: https://addons.mozilla.org/en-US/firefox/addon/passhash-redux/ Source code and project page: https://gitlab.com/eddyecho/passhash-redux