FAQ
What is SynthPass?
SynthPass is an extension for Chrome and its derivatives, and an add-on for Firefox that makes high-strength passwords for logins. Unlike conventional password managers, SynthPass does not involve storing passwords, but rather synthesizes them on the fly. There's nothing stored that can be compromised, and there are no weak passwords that might be hacked.
How secure are synthpass-made passwords?
Every password synthesized by SynthPass is 44 characters long, random-looking, and containing lowercase and capital letters, numbers, and the special characters !#_ This is typically considered very secure. Websites should have no trouble accepting passwords like this, but SynthPass offers a way to edit them to suit the need, through a special form on its Help page.
so how do i use synthpass to log into a site?
Click the SynthPass logo. A popup will appear right underneath displaying your user ID (if you saved it earlier), and a box for your Master Password, plus an optional serial. Type your Master Password, ending with Enter, or click OK, and the login page will populate with the SynthPass-made password for that particular site, plus the user ID, if any. Then click the webpage's login button.
what is this master password?
This is the text from which the website-specific passwords made by SynthPass derive. You can use the same Master Password every time, and still the password made for login will be different on every website. You don't have to change it even if they want you to change your password for a given login; just change the serial. Although it is best if the Master Password is strong, and SynthPass will tell you how strong it is so you can improve it, you can use a weak one if you prefer. SynthPass has a clever way to compensate for weak Master Passwords. The important thing is that you remember it, because SynthPass does not store it, and is never going to give you a hint about it.
How does synthpass handle weak passwords?
SynthPass generates new passwords by subjecting your Master Password, plus the website name and the serial, if any, to a number of rounds of SCRYPT, a well-known, secure key-stretching algorithm. The number of rounds depends on the strength, measured in bits of entropy, of the Master Password: the smaller the entropy, the longer the computation. This way hackers who want to guess your Master Password by running whole dictionaries through the algorithm will be forced to waste a lot of computer time going through the bad passwords. Because you're not going to use a bad Master Password, right? It pays to spend a little time finding a Master Password that scores high and yet you can still remember.
how about a password change?
Typically you will be sent to a webpage where you are asked to input your new password. Sometimes you are asked for the old password as well, and sometimes your are asked to repeat the new password, or the old one, or both. Click the SynthPass logo when you reach that page, and you will see a popup with several rows of boxes, matching the password boxes on the page and in the same order. If you used a serial previously, it will appear in the first row. Enter your Master Password in the first row corresponding to it on the webpage, and make sure the old serial is next to it. On the first row corresponding to the new password, you can either write a new Master Password (only if you want to change it), or a new serial (recommended). No need to write anything else. Then click OK. All the input boxes on the webpage will populate and the new serial will be remembered if its row was the last one highlighted. Then click whatever button is on the page to send the data to the server.
You may be asked to enter an old password that was not made by SynthPass. In this case, write that password in the corresponding Master Password box, and a single dash ( - ) in the serial box next to it. SynthPass will use this password as-is, without any processing.
You may be asked to enter an old password that was not made by SynthPass. In this case, write that password in the corresponding Master Password box, and a single dash ( - ) in the serial box next to it. SynthPass will use this password as-is, without any processing.
where are the options?
Well, SynthPass has no options or settings at all. SynthPass does only one thing, which is synthesize passwords, but it does it very well. If you want to store secret information or do other stuff, look elsewhere. There's lots of capable apps out there, but none as simple as SynthPass.
Still, SynthPass offers you a way to comply with varying password requirements through its Length input. It works this way:
Still, SynthPass offers you a way to comply with varying password requirements through its Length input. It works this way:
- If the password must be a particular length, write the number in this box
- If you want it to consist of numbers only, write "pin" or "num" or any word containing those strings
- If you want it to consist only of alphanumeric characters (no special symbols), write "alpha" or any word containing this string
- If the default special characters are no good, just write the special characters that are to be used in the Length box
why doesn't synthpass pop up to offer help?
SynthPass does not work that way. It is not constantly scanning webpages like password managers do, in order to jump in and offer to give you a password or save it. With SynthPass, nothing happens until you click its icon on the upper right of the browser. Then it quickly scans the page and displays as many input boxes as password inputs are on the page. This works both to fill a login and to save it.
does synthpass run on smartphones?
Unfortunately, extensions like SynthPass are not yet supported by mobile browsers, with the exception of Firefox for Android. But this does not mean that you cannot log into your websites when you are on the road. We have made a special version of SynthPass that will run on anything. You can get it from this link: https://synthpass.com/app Since it is not integrated with the browser, you need to supply the website name as well as your Master Password and serial, but then you only need to click OK to generate the website password, and then Copy to put it in the clipboard, from where you can paste it anywhere you like. You can save it to Home Screen and use it like any other app.
so nothing is stored, right?
Actually, serials are stored in the browser, as well as the user ID, if you supply any, and what you write in the Length box. They are stored unencrypted, but fear not because this does not lessen security. It is still impossible to recreate a website password, or retrieve the Master Password from a website password, starting from user ID and serial. User IDs are typically not handled as private by websites, anyway. If having your user ID stored in SynthPass bothers you, don't write it in the app. You can still fill it on the webpage manually.
And, if you really insist on storing a password you have come up with, SynthPass will oblige. Simply write a + sign in the Serial box, and the app will offer to remember any string that you supply at that moment. This string is encrypted before it is sent to browser sync storage, so you have it available as you move from machine to machine, but the browser provider only has the encrypted version. To use one last time and remove it, type a - in the serial box instead.
A similar thing happens when you click the SynthPass button when the page does not contain any password inputs. The popup will offer to encrypt and store any information pertaining to that page so you may recall it later. This may be handy for websites with complex logins.
And, if you really insist on storing a password you have come up with, SynthPass will oblige. Simply write a + sign in the Serial box, and the app will offer to remember any string that you supply at that moment. This string is encrypted before it is sent to browser sync storage, so you have it available as you move from machine to machine, but the browser provider only has the encrypted version. To use one last time and remove it, type a - in the serial box instead.
A similar thing happens when you click the SynthPass button when the page does not contain any password inputs. The popup will offer to encrypt and store any information pertaining to that page so you may recall it later. This may be handy for websites with complex logins.
is synthpass really open source?
Sure it is. You can read the code (and improve it if you are so inclined) at its GitHub page. But of course, you can always see the code directly within the browser. It is neither minified nor obfuscated.
Do you have tutorials?
We have a few videos on YouTube, explaining how to do things, with examples:
- How to use SynthPass to log into a website: https://www.youtube.com/watch?v=RLGScvETOEc
- How to change your login on a website using SynthPass: www.youtube.com/watch?v=96pSh4h1CAU
- How to generate a password on a mobile device, or what to do if something isn't working: www.youtube.com/watch?v=Y5jwImGkzCc
WHO ARE YOU AND WHY ARE YOU DOING THIS?
My name is Francisco Ruiz. I am a professor of engineering at a major US university. I've been doing cryptography for a while. You may know PassLok or PassLok for Email, which add powerful, easy to use peer-to-peer encryption to email. SynthPass comes after a number of years as a (fairly frustrated) user of password managers. If you like SynthPass, tell your friends!
what is that word that appears as I type my password?
We call it "Hashili" because it is a "hash" of your Password that sounds a bit like Swahili. The idea of Hashili is to reassure you that you typed your Master Password correctly, without having to display the Password. There are 100 million different Hashilis, and they change completely with the slightest alteration in the Password, so the chances that you get the correct Hashili for a wrong Password are one in a hundred million. Because there are many more possibilities for the Password than for the Hashili, it is impossible to retrieve the Password from the Hashili.
Think of it as SynthPass telling you "correct!" in its own language.
Think of it as SynthPass telling you "correct!" in its own language.
what happens if I forget my master password?
Then you'll be unable to re-generate the website passwords that depend from it. The Master Password is never stored, so there's nothing that can be done about it. Even if you remember its matching Hashili word, since the process to make Hashili cannot be reversed.
You'll have to get to the "Forgot Password" setting of that website and make a new one starting from a Master Password that you can actually remember. It is okay if it is a "weak" password, since SynthPass will compensate for its weakness by adding processing time.
On the other hand, this is not as disastrous as forgetting your Master Password for a conventional password manager, which would lock you out of all your logins at once.
You'll have to get to the "Forgot Password" setting of that website and make a new one starting from a Master Password that you can actually remember. It is okay if it is a "weak" password, since SynthPass will compensate for its weakness by adding processing time.
On the other hand, this is not as disastrous as forgetting your Master Password for a conventional password manager, which would lock you out of all your logins at once.
can synthpass do more?
SynthPass is designed to be as easy to use as possible, and this is why the basic thing it can do is synthesize strong passwords. We mentioned early that it can store, in encrypted form, any information pertaining to a page that you may want to recall. If you want more capability, you can use PassLok Universal or FusionKey instead, which also a full suite of text and file encryption to password generation identical to that of SynthPass.