Repository files navigation

OnePass is a bookmarklet to create passwords easily and securely.With the aid of it, a user can log on different websites with different passwords, while keeping only one master password in mind.

DECLARATION: OnePass is heavily inspired by1pass4all. Even this README.

The best part is that one compromised password will hardly impact other ones.

Please refer to thethis article for more details.

In 1pass4all, the encryption code is not considerate enough.

• It uses sha-256/sha-224 for hashing.
• The BaseX encoding algorithms except base64 drop their outputs to fit with their given charset, which are commented aslossy in1pass4all/hasher.js.
• And its iteration logic in1pass4all/passCreator.js is not well designed, which is widespread criticized by the community in other context.
• Also, the bookmarklet also includes some unnecessary interaction logic and a bigTLD_LIST, which makes it size too big(~50kb).
• It provides auto-login functionality.

Instead,

• OnePass uses a universal algorithmBaseN which is created by @KvanTTT inBaseNcoding to perform hash result encoding with arbitrary charset.

• It usessha3-512 (source fromjsSHA) for hashing.

• It uses a simple MVO pattern to implement the interaction logic.

• It uses HTML5 forms feature to simplify the validation logic.

• It uses bootstrap4 for better look of the installation page.

• It does not provide auto-login functionality.

• bookmarklet size is about 18.5kb

• Approach 1:

  simply check out theinstallation page

• Approach 2:

  1. make sure you install node.js and npm/yarn.

  2. install dependencies via npm or yarn.

  3. Aftergulp/npm run build, open the install.html under/dist directory, then follow the instructions there.

One click on the OnePass bookmarklet will prompt out a panel to for generating the password. You should enter the master password and click on the generate button. Then select(auto-selected) and copy the generated password to the form field you need to filled in.

If the user would like the username to be taken into account,he can enter the username.

More generally, the password syntax is(bracketed terms are optional):

[user ]master_password[ pass_len][ @domain][ *hash_iteration][ +salt]

wheremaster_password's length is at least 6,generated password's lengthpass_len is less than 100,hash_iteration indicates the hash iteration times(0-9999),salt is acryptographic salt.

NOTE:

• User name and domain are all case-insensitive.
• The domain of the site may be imperfectly extracted(for some cross domain website).

• website complains that the generated password has illegal characters

  Some websites disallow special characters in password. If that is the case, you may try another charset and mark it down somewhere else to check when someday you forget the chosen charset.

• website complains that the generated password is too long

  Currently you may manually truncate the result password.

• find a better way the handle bitwise operation on large integer, to remove the BigInteger library and then reduce the code size.

• figure out a better way to handle incompatible charset for some website.

This software has been tested(but not fully) in latest browsers includingFirefox, Chrome, IE, Safari and Opera, and you're welcome to report any bugor suggestion tohere.

Copyright 2017 e-cloud

Released under theMIT License.