<!DOCTYPE html><html lang="en"> <head><meta charset="UTF-8"> <title>Password Generator (Extra Strong version) - SS64.com</title> <meta name="Author" content="Simon Sheppard"> <meta name="Description" content="A free tool that creates highly secure passwords that are difficult to crack or guess. Uses a standard SHA-256 cryptographic hash function."> <link rel="icon" href="fav.ico" sizes="48x48"> <link rel="icon" href="fav.svg" sizes="any" type="image/svg+xml"> <!-- Feb 2025 tweak button colour. The list of websites can be edited on line #193 To make the 'show password' button clear out any current password (for extra safety) see line #464 --> <meta name="viewport" content="width=1000, initial-scale=1"> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';base-uri 'self';form-action 'self'"> <link rel="stylesheet" href="../main.css" type="text/css"> <style> p, h1, li, label, .mainpw {font-family: "Helvetica Neue", "Segoe UI Variable Static Text", Helvetica, Arial, Oxygen-Sans, Roboto, Ubuntu, sans-serif; font-weight: normal; font-size: 100%;} h1{clear: both; font-size: 1.375rem;} body{font-weight: normal; color: #000; background-color: #D9D9DE; margin: 15px;} p,hr,ol,ul,dd,dl,aside { max-width: 1000px; } form{left: 40px; margin: 0;} label{width: 100px; float: left; text-align: right; margin-right: 10px; margin-top: 2px; display: block;} li{margin: 15px 0;} input {font-size: 84%;} .websites {width: 405px; position: relative;left: 110px;} .callout {width: 700px; } .sitebox {width: 90px; margin-bottom: 0.5px; padding-left: 4px;} .pass, .spell{ position: relative; left: 15px; width: 166px; margin-bottom: 1.5px; padding-left: 3px; font-family: Menlo, "Bitstream Vera Sans", "Courier New", courier, monospace; } .sitebox{ height: 18px;} .pass{ height: 16px;background-color: #F1F1F4} .tagline {font-size: 0.75rem;line-height: 1rem;} .genbtn { display: inline-block; margin-left: 10px; width: 120px; height: 32px; background-color: #C4C4C6; border: 1px solid #777777de; border-radius: 0.25rem; color: #001; cursor: pointer; font-family: "Helvetica Neue", "Segoe UI Variable Static Text", Helvetica, Arial, Oxygen-Sans, Roboto, Ubuntu, sans-serif; font-size: 0.875rem; font-weight: normal; text-align: center; /*background-image: linear-gradient(to bottom, #CFCFCF, #C4C4C6); D7D7E4 C3C3CE*/ transition: background-color .25s, color .25s; } .genbtn:hover { background-color: #1DB954;/*#1188EA; */ /*background-image:none;*/ color: #141414; transition: background-color 0.25s, color 0.25s; } .genbtn:focus{border: 1px solid #4B8DF8; outline: none;color: #229231;} .genbtn:active{ color: #1676F1; /* #F4FFF0 #D9D9DE; */ border: 1px solid #229231; /* 6f58af 1188ea #4B8DF8; */ outline: none; /* text-shadow:none;*/ } .genbtn:hover:focus{color: #141414;} .genbtn:hover:focus:active{color: #1676F1;} a:link{color: #00F; text-decoration: none;} a:visited{color: #991BC1; text-decoration: none;} a:hover { color: #00F; border-bottom: 1px solid #00F; } a:active {color: #337fe8; text-decoration: none; border-bottom: 1px solid #337fe8;} .tbtn a {display: block;border-bottom: none;border-radius: 7px;} .quote {color:#07572c; font-family: Palatino, "Segoe UI Variable Static Text", Georgia, FreeSerif, Serif;font-style:italic;} .pass, .sitebox { transition: all 0.30s ease-in-out; outline: 1px; border: 1px solid #A1A1A1; box-shadow: 0 0 2px #CCC; border-radius: 3px; } .mainpw { width: 285px; font-family: "Helvetica Neue", Verdana, Geneva, Helvetica, Sans-Serif; border-radius: 4px; transition: all 0.30s ease-in-out; outline: 1px; border-top: 1px solid #7C7C7C; border-left: 1px solid #ACB5BE; border-right: 1px solid #ACB5BE; border-bottom: 1px solid #DDD; box-shadow: inset #CCC 0px 1px 0px; height: 25px; } .mainpw:focus, .pass:focus, #custid:focus { outline: none; border: 1px solid #4D90FE; /*transition: box-shadow 5s linear, border 3s linear; */ box-shadow: 0px 0px 4px 0px #4D90FE; } #custid{ font-family: Menlo, "Bitstream Vera Sans", "Courier New", courier, monospace; border-radius: 4px; border-top: 1px solid #7C7C7C; border-left: 1px solid #ACB5BE; border-right: 1px solid #ACB5BE; border-bottom: 1px solid #DDD; box-shadow: inset #CCC 0px 1px 0px; height: 22px; } #mp {margin-left: 110px;} #showlbl{clear:both;text-align: left;float:none;width: 200px; display:inline; border: #686868 0.5px dotted; padding: 3px 5px 5px 0px; border-radius: 2px;} /* Dark mode */ @media (prefers-color-scheme: dark) { body { background-color: #BDBDC6; /*D9D9DE*/ } .genbtn { background-color: #DEDEE6; /*background-image: linear-gradient(to bottom, #E7E7EC, #DEDEE6);*/} .tb-tn a:focus { background-color: #BDBDC6; /*D9D9DE*/ } a:link, a:hover {color: #0000AD;} a:visited {color: #7D129E;} } /* slider */ #show { appearance: none; position: relative; display: inline-block; background: #30A91F; height: 1.1rem; width: 2.16rem; vertical-align: middle; border-radius: 2rem; box-shadow: 0px 1px 3px #2521ADE0 inset; transition: 0.12s linear background; } #show:checked::before { transform: translateX(1rem); } #show::before { content: ""; display: block; width: 0.74rem; height: 0.74rem; background: #F8F9F9; border-radius: 1.2rem; position: absolute; top: 0.2rem; left: 0.2rem; box-shadow: 0px 1px 3px #282AA033; transform: translateX(0rem); /*transition: 0.1s linear transform;*/ transition: transform 0.15s cubic-bezier(0.65, 0, 0.35, 1); } #show:checked { background: #E70D0D; } #show:focus { outline-color: dodgerblue; } </style> <script> /* * The sites to display. * You can edit this to customise the page, * to include another website just add an extra line: */ var sites = [ {seed:"amazon", url:"https://www.amazon.com/", displayName:"Amazon"} ,{seed:"apple", url:"https://www.apple.com/", displayName:"Apple"} ,{seed:"box", url:"https://app.box.com/login/", displayName:"Box"} ,{seed:"bsky", url:"https://bsky.app/", displayName:"Bsky"} ,{seed:"ebay", url:"https://signin.ebay.com/", displayName:"Ebay"} ,{seed:"google", url:"https://www.google.com/", displayName:"Google"} ,{seed:"mastodon", url:"https://joinmastodon.org/", displayName:"Mastodon"} ,{seed:"outlook", url:"https://outlook.com/", displayName:"Outlook"} ,{seed:"reddit", url:"https://old.reddit.com/", displayName:"Reddit"} ,{seed:"tiktok", url:"https://www.tiktok.com/", displayName:"TikTok"} ,{seed:"tumblr", url:"https://www.tumblr.com/", displayName:"Tumblr"} ,{seed:"wikipedia", url:"https://en.wikipedia.org/", displayName:"Wikipedia"} ]; /* * A JavaScript implementation of the Secure Hash Algorithm, SHA-256, as defined * in FIPS 180-2 * Version 2.2 Copyright Angel Marin, Paul Johnston 2000 - 2009. * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet, It's Never Lurgi * Distributed under the BSD License * See http://pajhome.org.uk/crypt/md5 for details. * Also http://anmar.eu.org/projects/jssha2/ */ /* * Configurable variables. */ var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */ /* * sha functions * They take string arguments and return either hex or base-64 encoded strings */ function b64_sha256(s) { return rstr2b64(rstr_sha256(str2rstr_utf8(s))); } /* * Calculate the sha256 of a raw string */ function rstr_sha256(s) { return binb2rstr(binb_sha256(rstr2binb(s), s.length * 8)); } /* * Convert a raw string to a modified base-64 string (Chars 62+63 are non-standard) */ function rstr2b64(input) { try { b64pad } catch(e) { b64pad=''; } var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Ea"; var output = ""; var len = input.length; for(var i = 0; i < len; i += 3) { var triplet = (input.charCodeAt(i) << 16) | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0) | (i + 2 < len ? input.charCodeAt(i+2) : 0); for(var j = 0; j < 4; j++) { if(i * 8 + j * 6 > input.length * 8) output += b64pad; else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F); } } return output; } /* * Encode a string as utf-8. * For efficiency, this assumes the input is valid utf-16. */ function str2rstr_utf8(input) { var output = ""; var i = -1; var x, y; while(++i < input.length) { /* Decode utf-16 surrogate pairs */ x = input.charCodeAt(i); y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0; if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF) { x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF); i++; } /* Encode output as utf-8 */ if(x <= 0x7F) output += String.fromCharCode(x); else if(x <= 0x7FF) output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F), 0x80 | ( x & 0x3F)); else if(x <= 0xFFFF) output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F), 0x80 | ((x >>> 6 ) & 0x3F), 0x80 | ( x & 0x3F)); else if(x <= 0x1FFFFF) output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07), 0x80 | ((x >>> 12) & 0x3F), 0x80 | ((x >>> 6 ) & 0x3F), 0x80 | ( x & 0x3F)); } return output; } /* * Convert a raw string to an array of big-endian words * Characters >255 have their high-byte silently ignored. */ function rstr2binb(input) { var output = Array(input.length >> 2); for(var i = 0; i < output.length; i++) output[i] = 0; for(var i = 0; i < input.length * 8; i += 8) output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32); return output; } /* * Convert an array of big-endian words to a string */ function binb2rstr(input) { var output = ""; for(var i = 0; i < input.length * 32; i += 8) output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF); return output; } /* * Main sha256 function, with its support functions */ function sha256_S (X, n) {return ( X >>> n ) | (X << (32 - n));} function sha256_R (X, n) {return ( X >>> n );} function sha256_Ch(x, y, z) {return ((x & y) ^ ((~x) & z));} function sha256_Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));} function sha256_Sigma0256(x) {return (sha256_S(x, 2) ^ sha256_S(x, 13) ^ sha256_S(x, 22));} function sha256_Sigma1256(x) {return (sha256_S(x, 6) ^ sha256_S(x, 11) ^ sha256_S(x, 25));} function sha256_Gamma0256(x) {return (sha256_S(x, 7) ^ sha256_S(x, 18) ^ sha256_R(x, 3));} function sha256_Gamma1256(x) {return (sha256_S(x, 17) ^ sha256_S(x, 19) ^ sha256_R(x, 10));} function sha256_Sigma0512(x) {return (sha256_S(x, 28) ^ sha256_S(x, 34) ^ sha256_S(x, 39));} function sha256_Sigma1512(x) {return (sha256_S(x, 14) ^ sha256_S(x, 18) ^ sha256_S(x, 41));} function sha256_Gamma0512(x) {return (sha256_S(x, 1) ^ sha256_S(x, 8) ^ sha256_R(x, 7));} function sha256_Gamma1512(x) {return (sha256_S(x, 19) ^ sha256_S(x, 61) ^ sha256_R(x, 6));} var sha256_K = new Array ( 1116352408, 1899447441, -1245643825, -373957723, 961987163, 1508970993, -1841331548, -1424204075, -670586216, 310598401, 607225278, 1426881987, 1925078388, -2132889090, -1680079193, -1046744716, -459576895, -272742522, 264347078, 604807628, 770255983, 1249150122, 1555081692, 1996064986, -1740746414, -1473132947, -1341970488, -1084653625, -958395405, -710438585, 113926993, 338241895, 666307205, 773529912, 1294757372, 1396182291, 1695183700, 1986661051, -2117940946, -1838011259, -1564481375, -1474664885, -1035236496, -949202525, -778901479, -694614492, -200395387, 275423344, 430227734, 506948616, 659060556, 883997877, 958139571, 1322822218, 1537002063, 1747873779, 1955562222, 2024104815, -2067236844, -1933114872, -1866530822, -1538233109, -1090935817, -965641998 ); function binb_sha256(m, l) { var HASH = new Array(1779033703, -1150833019, 1013904242, -1521486534, 1359893119, -1694144372, 528734635, 1541459225); var W = new Array(64); var a, b, c, d, e, f, g, h; var i, j, T1, T2; /* append padding */ m[l >> 5] |= 0x80 << (24 - l % 32); m[((l + 64 >> 9) << 4) + 15] = l; for(i = 0; i < m.length; i += 16) { a = HASH[0]; b = HASH[1]; c = HASH[2]; d = HASH[3]; e = HASH[4]; f = HASH[5]; g = HASH[6]; h = HASH[7]; for(j = 0; j < 64; j++) { if (j < 16) W[j] = m[j + i]; else W[j] = safe_add(safe_add(safe_add(sha256_Gamma1256(W[j - 2]), W[j - 7]), sha256_Gamma0256(W[j - 15])), W[j - 16]); T1 = safe_add(safe_add(safe_add(safe_add(h, sha256_Sigma1256(e)), sha256_Ch(e, f, g)), sha256_K[j]), W[j]); T2 = safe_add(sha256_Sigma0256(a), sha256_Maj(a, b, c)); h = g; g = f; f = e; e = safe_add(d, T1); d = c; c = b; b = a; a = safe_add(T1, T2); } HASH[0] = safe_add(a, HASH[0]); HASH[1] = safe_add(b, HASH[1]); HASH[2] = safe_add(c, HASH[2]); HASH[3] = safe_add(d, HASH[3]); HASH[4] = safe_add(e, HASH[4]); HASH[5] = safe_add(f, HASH[5]); HASH[6] = safe_add(g, HASH[6]); HASH[7] = safe_add(h, HASH[7]); } return HASH; } function safe_add(x, y) { var lsw = (x & 0xFFFF) + (y & 0xFFFF); var msw = (x >> 16) + (y >> 16) + (lsw >> 16); return (msw << 16) | (lsw & 0xFFFF); } function setvals() { var mypass = document.getElementById("main"); var mypasstext = document.getElementById("maintext"); var paslen = mypass.value.length; if(paslen<8 && paslen>0) { //main password too short mypass.style.setProperty('background-color', '#f07f7f', 'important'); mypasstext.style.setProperty('background-color', '#f07f7f', 'important'); document.getElementById("otpass").value="" for (var i = 0; i < sites.length; i++) { document.getElementById(sites[i].seed).setAttribute('value', ''); } } else { //reset colours mypass.style.setProperty('background-color', '#fff', 'important'); mypasstext.style.setProperty('background-color', '#fff', 'important'); document.getElementById("customRoot").setAttribute('value', mypass.value); /* Seed masterpassword */ for (var i = 0; i < sites.length; i++) { passwordHash(sites[i].seed, mypass); } } } function highlight(field) { } function highlight(field) { field.focus(); field.select(); } function passwordHash(passbox,master) { var newpass = b64_sha256(master.value +':'+ passbox); newpass = newpass.substr(0,20); if(master.value.length==0 || master.value==null){ newpass = ''; } document.getElementById(passbox).setAttribute('value', newpass); } function revealPassword(reveal) { if(reveal) { // optional line below: clear out the main password and force it to be retyped // document.getElementById('maintext').value=''; document.getElementById('main').style.display = 'none'; document.getElementById('maintext').style.display = 'inline'; } else { document.getElementById('maintext').style.display = 'none'; document.getElementById('main').style.display = 'inline'; } } function copyTo(source, destination) { document.m[destination].value = source.value; //cols var mypass = document.getElementById("main"); var mypasstext = document.getElementById("maintext"); var copylen = source.value.length; if(copylen>9) { mypass.style.setProperty('background-color', '#fff', 'important'); mypasstext.style.setProperty('background-color', '#fff', 'important'); } } window.onbeforeunload = function () { // This function stops the page being cached (so the back button won’t reveal passwords). } // ]]> </script> </head> <body onload="document.m.reset();document.ot.reset();document.m.main.focus();"> <!-- Begin top nav menu --> <div id="tnav"><ul> <li class="tbtn"><a href="../">SS64</a></li> <li class="tbtn"><a href="https://ss64.com/pass/mobile/">Mobile 20</a></li> <li class="tbtn"><a href="https://ss64.com/pass/pass15.html">15 Char</a></li> <li class=tflat>20 Char</li> </ul></div> <!-- End --> <h1>SS64 Password Generator (Extra Strong 20 character version)</h1> <form name="m" id="m"> <div id="mp"> <p>Main password<br> <input name="main" id="main" class="mainpw" value="" autocomplete="new-password" autocapitalize="none" onblur="setvals();" onkeyup="copyTo(this, &#39;maintext&#39;);" type="password" autofocus tabindex="1"> <input name="maintext" id="maintext" class="mainpw" value="" autocomplete="off" autocapitalize="none" onblur="setvals();" onkeyup="copyTo(this, &#39;main&#39;);" style="display: none;" tabindex="2"> <input value="Generate" class="genbtn" onclick="setvals();" type="button"> <label id="showlbl"><input name="reveal" onclick="revealPassword(this.checked);" type="checkbox" id="show" tabindex="6"> show password</label></p> </div> </form> <form class="websites"> <script> for (var i = 0; i < sites.length; i++) { //document.write("<label><a href=\"" + sites[i].url + "\">" + sites[i].displayName + "</a></label>"); document.writeln(" <input name=\"site\" class=\"sitebox\" value=\"" + sites[i].seed + "\" readonly=\"\">"); document.writeln("<input name=\"password\" id=\"" + sites[i].seed + "\" class=\"pass\" readonly=\"\" onclick=\"highlight(this);\" tabindex=\"6\" value=\"\"><br>"); } </script> </form><br> <!--custom--> <form method="post" name="ot" class="callout" id="ot" autocapitalize="none" onsubmit="setvals();otpassword.value = b64_sha256(customRoot.value+&#39;:&#39;+ CustomSite.value).substr(0,20);if(main.value.length<8 ){alert('For better security:\nSelect a Main Password that is at least 12 RANDOM chars long.');otpassword.value = &#39;&#39;}; if(customRoot.value.length==0 || customRoot.value==null){otpassword.value = &#39;&#39;}; document.ot.otpassword.focus(); document.ot.otpassword.select(); return false;"> <input name="passwd" id="customRoot" type="hidden" value=""> <label style="margin-top: 6px;">Custom: </label> <input name="CustomSite" id="custid" class="sitebox" autocapitalize="none" onkeyup="otpassword.value = &#39;&#39;;" tabindex="3"> <input name="otpassword" id="otpass" class="pass" readonly onclick="highlight(this);" tabindex="5"> &nbsp;&nbsp; <input type="submit" class="genbtn" value="Generate" tabindex="4"> <input type="button" class="genbtn" value="Clear All" onclick="window.location.href=window.location.href"> </form><br> <p>Using the same password for multiple email, shopping and social networking websites is risky, it means that a <a href="https://privacyrights.org/data-breaches">security breach</a> at one website will compromise all your accounts, possibly even leading to identity theft.</p> <p>So, the idea is that you memorise just one, reasonably long (at least 10 characters), <a href="https://passwordsecurity.info/">secure</a> main password and use that to generate a set of non-dictionary passwords. Copy and paste the new password(s) into the website and set your web browser to remember them.</p> <p>All the websites get different passwords, but you only have to remember one!</p> <p>Using a different PC? you can re-generate the same set of passwords at any time by returning to this page and entering the same <b>main</b> password.</p> <ul> <li>For any website that's not on the list, just type the name into the 'Custom' box (the last one in the list) and press Generate.</li> <li>Using UPPER or lower case will produce different passwords, when using this for the first time it’s a good idea to use the 'Show Password' tickbox to check for any typos.</li> <li>Most websites will send a password reset via email, so set the password for that email account to something completely different, just in case you ever forget the main password!</li> <li>The mobile version can be added to your home screen on <a href="https://support.apple.com/en-gb/guide/iphone/iph42ab2f3a7/ios">iPhone</a> or <a href="https://www.androidauthority.com/add-website-android-iphone-home-screen-3181682/">Android</a>, and will work even without an internet connection.</li> <li>To navigate this page using the keyboard, use the TAB and RETURN keys.</li> <li>Because this generator uses a one-way SHA-256 hash, knowing one password does not allow working backwards to discover the <b>main</b> password or any of the others.</li> <li>There is also a <a href="https://ss64.com/pass/pass15.html">15 character</a> version for any websites which don’t yet accept 20 character passwords.</li> <li>If you are using Firefox with a password generator, you may wish to turn off the Firefox option to <a href="https://support.mozilla.org/en-US/kb/autofill-logins-firefox">Suggest and Generate</a> strong passwords.</li> </ul> <p>This password generator works using Javascript, entirely within the page, no data is ever passed back to my server. Notwithstanding this, it is a very good idea to save your own copy of this page. <a href="https://ss64.com/pass/passwords.zip">Zip file here</a>. Keeping your own copy ensures that the password generator will still be available to you even if this website goes off-line. You can also <b>View-Source</b> and see exactly how the javascript works, copy it to a USB stick, easily edit the default list of websites to your favourite websites, even upload it to your own website (it’s open source.) There are no dependent files, just save as a single HTML file.</p> <p><a href="https://ss64.com/pass/command-line.html">Command-line version</a><br> <a href="../tools/security.html">Password security - a comparison of Password Generators</a><br> <a href="https://security.stackexchange.com/questions/44368/are-the-ss64-com-password-generators-a-good-approach">Are the SS64.com password generators a good approach?</a> - StackExchange</p> <p class="quote">“Password managers don’t have to be perfect, they just have to be better than not having one” ~ <a href="https://sudo.pagerduty.com/for_everyone/">Troy Hunt.</a></p> <p class="tagline">Credits: JavaScript implementation of the Secure Hash Algorithm, (SHA-256, ©Paul Johnston, distributed under the <a href="https://fossa.com/blog/open-source-software-licenses-101-bsd-3-clause-license/">BSD License</a>.) Inspired by <a href="https://web.archive.org/web/20210509132921/http://www.angel.net/~nic/passwd.current.html">Nic Wolff’s</a> password generator. Mobile version by Jay van hutten.</p> <p class="tagline"><a href="https://ss64.com/">Simon Sheppard</a>, Mar 2025<br> SS64.com/pass/</p> </body></html>