Passpet makes logging in to websites easier: just click a button to fill in your username and password. You only need to memorize one secret, and Passpet will generate a different password for each site. Even if there is a break-in at one site, your other accounts and passwords are safe. Passpet protects you from attackers who try to fool you into revealing passwords because each password is generated only for the site where you originally established it.
Here are a few ways Passpet improves on previous password helper tools:
- You click a button instead of typing in your password.
- Impostors can't get you to give away your passwords, because you never type them in.
- The button you click is personalized, which makes it hard for impostors to fool you with a fake login.
- You can change your password for an individual site whenever you want.
- Your passwords are never saved in a file anywhere.
- You can use your passwords to log in from more than one computer.
- Someone who steals one of your passwords would have to do a lot of work to guess your other passwords, and you can make it take as much work as you want.
- You can inhibit attacks by choosing a trickier password, or just by waiting longer.
The Passpet source code is released as open source under the Apache 2.0 License.
How to Use Passpet
Passpet appears on your Firefox toolbar as an animal icon. Everyone gets a randomly chosen animal with a randomly chosen name, so the Passpet button is hard for an impostor to imitate. When you first start Firefox, your Passpet is asleep. To awaken it, click on it and enter your master secret.
When your Passpet is awake, click on it to automatically fill in your username and password for a site.
Setting Up Accounts
The text box next to your Passpet lets you label the sites you know, so you can tell them apart from fraudulent websites. If you enter a label in the text box, the label will reappear when you are back at the same site.
To fill in a password, Passpet calculates the password from your label. So, to start using Passpet at a particular website, enter a site label in the box. When registering for a new account on the site, click on your Passpet to fill in the new password. To start using Passpet with an already existing account, first log in to the website and go to its "change password" page, then enter your old password and click on your Passpet to fill in the new password.
If you change the label, Passpet will calculate a different password. So, if you want to change your existing password at a particular site, you go to the "change password" page, click on your Passpet to fill in your old password, change the label, and click on your Passpet to fill in your new password. If you ever need your old password again, you can recover it by entering the old label.
Setting Up Passpet
When you install Passpet, you will be asked for your Passpet address. This address looks just like an e-mail address — username@host. The part after the at-sign identifies your Passpet server, which stores your site labels so that you can use Passpet to calculate your passwords from other computers as well. It can refer to any site running a Passpet server, and you don't have to trust it with your passwords — the server stores only your site label information, not your secrets, and the file is encrypted so even the server's administrator can't look at it to find out where you have website accounts.
If you're setting up Passpet for the first time, you will also be asked to choose your master secret. You'll get real-time feedback on the strength of your secret as you type it in. You can make your secret stronger by typing more characters, or just by waiting for Passpet to do more calculations.