SynthPass released

Chances are you, like me, have a collection of logins, each with their separate requirements for password strength and lifetime, user ID, and so forth, and your memory has already reached the saturation point. Since writing them on a piece of paper is a no-no, you may have resorted to a password manager. There are many good ones, even free ones, but you still wonder if things could be a little easier. If you are thinking this, SynthPass is for you. It does not work like the other password managers, which store your logins more or less securely, but rather gets around the whole problem by not storing your passwords.

Intrigued? Read on…

With SynthPass, there is no “vault” that has to be protected from hackers because your passwords are synthesized on the fly, just as you need them. SynthPass-made passwords are always high strength and comprise letters, numbers, and special characters. Passwords for different websites are guaranteed to be totally different.

You never have to change your Master Password. When a website forces you to change its password, simply change the optional serial that is used to synthesize that password. SynthPass will remember the serial, as well as your user ID. Your Master Password will never be stored, and it disappears from memory after five minutes not using it.

Unlike conventional password managers, SynthPass
– won’t pop up and interrupt your flow; it is activated only when you click its icon on the browser toolbar
– won’t store anything secret, only user IDs and optional serials, if you allow it
– is always available, because it does not have to connect to “the Cloud”
– makes only strong passwords
– won’t ask you for money
– won’t show ads

SynthPass is based on the WiseHash key-stretching algorithm, which evaluates the information entropy of your Master Password and subjects it to a variable number of rounds of SCRYPT key-stretching. The weaker the password, the more stretching. This forces would-be hackers to spend an inordinate amount of computer time testing weak passwords before they can get to yours. SynthPass displays an accurate measurement of your Master Password’s entropy to help you come up with a strong one. This is the same algorithm stretching the user password in PassLok Privacy and PassLok for Email.

This is a browser extension, and therefore is poorly supported on mobile devices. There is, however, a web app that includes the same password-making engine and runs well on mobile devices. It can be found at:

And now, a few more links. First the download links for the extensions for Chrome and Firefox:



Then, of course, the info page:

Finally, the GitHub repo, where you can contribute to the code or report bugs:

Enjoy SynthPass !

7 thoughts to “SynthPass released”

      1. Hey, I replied to your same comment on Reddit. I read the article, and it doesn’t actually demonstrate any fatal flaws in SynthPass, which has mechanisms in place to address all its concerns.

        I stand corrected regarding the history of password synthesizers, though, so thanks.

  1. SynthPass (the extension in Chrome) mysteriously stopped displaying the helpful hint that lets you know if you typed your password correctly. You know, that foreign-language-looking sequence of letters?

    How can I get it back?

    1. The Hashili word has not disappeared, it simply has become optional rather than being always on. You can see it by clicking the eye icon once. Clicking again will cause the complete password to be displayed. The reason why Hashili has been made optional is that someone looking over your shoulder could figure out your password if he/she/it manages to record the Hashili words displayed as you type (not just the last one). This could happen more easily than you think. A couple months back, I was demonstrating the extension before many people. If a video recording had been made, someone would have been able to steal all my passwords!

      1. Some time ago, I found a way to have Hashili on by default. It will not show until you stop typing for a full second, which should be enough to make sure it appears only when you have typed in the whole master password. Since there are gazillions of possible passwords but only ten thousand different Hashili, it should be practically impossible to get the password from what is displayed. Sorry I did not comment on this sooner.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.