Convenient Password Management and Phishing Protection

Passpet makes logging in to websites easier: just click a button to fill in your username and password. You only need to memorize one secret, and Passpet will generate a different password for each site. Even if there is a break-in at one site, your other accounts and passwords are safe. Passpet protects you from attackers who try to fool you into revealing passwords because each password is generated only for the site where you originally established it.

Passpet was presented in a paper published at SOUPS 2006 (the Symposium on Usable Privacy and Security). Read the paper (465 kb PDF).

Here are a few ways Passpet improves on previous password helper tools:

The Passpet source code is released as open source under the Apache 2.0 License.

Source code:
Source repository:
Firefox 1.5 extension: passpet.xpi

How to Use Passpet

Passpet appears on your Firefox toolbar as an animal icon. Everyone gets a randomly chosen animal with a randomly chosen name, so the Passpet button is hard for an impostor to imitate. When you first start Firefox, your Passpet is asleep. To awaken it, click on it and enter your master secret.

When your Passpet is awake, click on it to automatically fill in your username and password for a site.

Setting Up Accounts

The text box next to your Passpet lets you label the sites you know, so you can tell them apart from fraudulent websites. If you enter a label in the text box, the label will reappear when you are back at the same site.

To fill in a password, Passpet calculates the password from your label. So, to start using Passpet at a particular website, enter a site label in the box. When registering for a new account on the site, click on your Passpet to fill in the new password. To start using Passpet with an already existing account, first log in to the website and go to its "change password" page, then enter your old password and click on your Passpet to fill in the new password.

If you change the label, Passpet will calculate a different password. So, if you want to change your existing password at a particular site, you go to the "change password" page, click on your Passpet to fill in your old password, change the label, and click on your Passpet to fill in your new password. If you ever need your old password again, you can recover it by entering the old label.

Setting Up Passpet

When you install Passpet, you will be asked for your Passpet address. This address looks just like an e-mail address — username@host. The part after the at-sign identifies your Passpet server, which stores your site labels so that you can use Passpet to calculate your passwords from other computers as well. It can refer to any site running a Passpet server, and you don't have to trust it with your passwords — the server stores only your site label information, not your secrets, and the file is encrypted so even the server's administrator can't look at it to find out where you have website accounts.

If you're setting up Passpet for the first time, you will also be asked to choose your master secret. You'll get real-time feedback on the strength of your secret as you type it in. You can make your secret stronger by typing more characters, or just by waiting for Passpet to do more calculations.