What is uPass
uPass is a tiny web app I created to solve my own problem - keeping my passwords secure and easy to manage at the same time. Passwords are the only way to identify yourself in the Internet. Nothing better has been invented yet. However, passwords are still painful to work with:
- People hate passwords, and for a reason;
- Good passwords are hard to guess - therefore hard to remember;
- You really should have different password for any service you use.
Numerous password-managing apps are here to help. Most of them are tied to one OS. None of them appealed to me personally. The best approach I could find is to have single ("master") password and generate account-specific passwords from it (using account name for encryption). I borrowed the idea from SuperGenPass but found its interface hard to use. Thus, uPass was born.
Why you should use it
Only remember one password
Using one password for all accounts is very much risky. Remembering unique password for each account is almost impossible, unless you are a 'mind freak'. uPass is the solution: you only need to remember master password, and uPass generates unique password for services you use. Read more.
Secure by default
uPass generates mix of numbers and letters (by default 12 characters long) which are virtually impossible to brute-force.
Only takes a couple of key strokes
uPass is very keyboard-friendly. Open, type master password, Enter, Ctrl-C, Ctrl-W, done!
Your password does not leave your device
There is no data transfer between your browser and uPass server. It's 100% client-side. You can even host uPass yourself, for ultimate security.
Works on any platform with web browser
Windows, Mac OS X, Linux, Android, iOS, Windows Phone, webOS, and any future OS too.
Works for any service, not only web
You can generate password no just for web service, but for anything that can be referred to as "username". I actually use it to secure passwords for Linux users such as "root", "www", etc.
How uPass works
uPass takes 2 parameters: master password and domain/username. If you open uPass using browser bookmarklet or extension, domain is set automatically. F.e. if http://accounts.google.com is opened in your browser, uPass will set domain to "google". All you need to do is type your master password and hit Enter.
uPass combines master password and domain into single string. This string is then converted into unique password. F.e. if your master password is "snowflakes" (really bad password!), domain is "google", and password length is default (12), uPass will convert "snowflakesgoogle" into "UoBIAXtIVwDQ". Copy it, close uPass and paste the password into login form.
How to use uPass
- Memorize your master password.
- When you sign up with a web site, use uPass to generate unique password.
- Next time you sign in, use uPass again to generate the same password.
Note - uPass does not "store" your passwords, therefore it will not work with passwords you had before you started using uPass. For each service (such as email), you will need to change password to match what uPass generates.
Do not change password length once you started using uPass.
Get browser bookmarklet
Drag this link → uPass ← into your browser's bookmarks bar (below address bar). You might need to turn it on from Bookmarks menu. Not for mobile browsers.
Use on iPhone/iPad
Open upass.in in your mobile browser, tap "Share" button, tap "Add to Home screen".
Use on Android
Open upass.in in your mobile browser, add it to bookmarks, open bookmarks, tap and hold.upass.in, tap "Add to Home screen".
Download and self-host
Download uPass for backup, even if you do not plan to use it locally. Right-click and save as: upass.zip.
Why use uPass, not LastPass/KeePass/1Password/RoboForm/etc?
I tried them all, honestly. LastPass was the best, but still far from perfect. uPass is not perfect too - it reflects my vision. I encourage you to give it a try.
Why bother with secure passwords at all?
How safe is uPass?
It's as safe as your master password. If your master password is weak, a hacker can guess or brute-force it, and get access to all your accounts. Luckily, the generated passwords are really strong (unless you make them too short), and because uPass is not yet so popular, chances are no one will guess you use it.
Trusting my password to web service is insane!
uPass server only sends you HTML code, one way. Your password is never transmitted to our server. And you can always self-host uPass
How do I get one password for all subdomains?
It's done automatically for you. When uPass converts URL to account name, ignores subdomains as well as top-level domains, and leaves only valuable part of domain. For example, you probably have the same account for both "amazon.fr" and "amazon.com" - and uPass correctly converts both domains to just "amazon".
How do I come up with strong master password?
Seriously, just use it :-) uPass is free to use, modify, re-distribute, as long as link to uPass.info is provided. I am not responsible for any damage you might experience using uPass. Use at your own risk! (But remember - not using uPass may be riskier).
Feedback and discussion
To discuss uPass, please use this forum @ userecho.com.
Please send your comments, compliments and complaints to firstname.lastname@example.org.